MFA Fatigue Attack - Push Bombing Followed by Silent Token Abuse
09 MFA Fatigue Silent Token Abuse
Query
let MFAFatigue =
SigninLogs
| where TimeGenerated > ago(4h)
| where ResultType in (50074, 500121, 50076) // MFA required, denied, interrupted
| summarize
MFAAttempts = count(),
FirstAttempt = min(TimeGenerated)
by UserPrincipalName;
let MFASuccess =
SigninLogs
| where TimeGenerated > ago(4h)
| where ResultType == 0
| where AuthenticationRequirement == "multiFactorAuthentication"
| summarize MFASuccessTime = min(TimeGenerated), SuccessIP = tostring(make_set(IPAddress)[0])
by UserPrincipalName;
MFAFatigue
| where MFAAttempts >= 3
| join kind=inner MFASuccess on UserPrincipalName
| where MFASuccessTime > FirstAttempt
| join kind=inner (
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(4h)
| where ResultType == 0
| summarize NI_Count = count(), NI_Countries = make_set(Location), NI_IPs = make_set(IPAddress)
by UserPrincipalName
) on UserPrincipalName
| where NI_Count > 10
| project
UserPrincipalName,
MFAAttempts,
FirstMFAPrompt = FirstAttempt,
MFASuccessTime,
SuccessIP,
NI_Count,
NI_Countries
| order by MFAAttempts descExplanation
This query is designed to detect a specific type of cyberattack known as an "MFA Fatigue Attack" or "Push Bombing," followed by "Silent Token Abuse." Here's a simplified explanation of what the query does:
-
Purpose: The query aims to identify situations where a user is bombarded with multiple Multi-Factor Authentication (MFA) prompts (often to the point of annoyance or fatigue), leading them to eventually approve one. After this approval, the attacker uses the session to perform numerous non-interactive sign-ins, which are typically automated and do not require user interaction.
-
Data Sources: It uses data from Azure Active Directory, specifically looking at logs related to user sign-ins and non-interactive sign-ins.
-
Detection Logic:
- MFA Attempts: It first identifies users who have received at least three failed MFA prompts within the last four hours.
- MFA Success: It then checks if these users eventually had a successful MFA sign-in.
- Non-Interactive Sign-Ins: After a successful MFA, it looks for users who have more than ten non-interactive sign-ins from different locations or IPs within the same timeframe.
-
Alert Generation: If the above conditions are met, the query generates an alert indicating a potential MFA fatigue attack. The alert includes details such as the number of MFA attempts, the time of the first MFA prompt, the time of successful MFA, the IP address used for the successful sign-in, and the number of non-interactive sign-ins.
-
Severity and Response: The alert is marked with high severity, and an incident is created for further investigation. The system is configured to group related alerts by user account to streamline incident management.
-
MITRE ATT&CK Framework: The query references specific techniques from the MITRE ATT&CK framework, which is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
In summary, this query is a security measure to detect and alert on suspicious patterns of MFA usage that could indicate an attack, helping organizations to respond quickly to potential security breaches.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 4h