Query Details

MFA Fatigue Attack - Push Bombing Followed by Silent Token Abuse

09 MFA Fatigue Silent Token Abuse

Query

let MFAFatigue =
    SigninLogs
    | where TimeGenerated > ago(4h)
    | where ResultType in (50074, 500121, 50076)  // MFA required, denied, interrupted
    | summarize
        MFAAttempts  = count(),
        FirstAttempt = min(TimeGenerated)
      by UserPrincipalName;
let MFASuccess =
    SigninLogs
    | where TimeGenerated > ago(4h)
    | where ResultType == 0
    | where AuthenticationRequirement == "multiFactorAuthentication"
    | summarize MFASuccessTime = min(TimeGenerated), SuccessIP = tostring(make_set(IPAddress)[0])
      by UserPrincipalName;
MFAFatigue
| where MFAAttempts >= 3
| join kind=inner MFASuccess on UserPrincipalName
| where MFASuccessTime > FirstAttempt
| join kind=inner (
    AADNonInteractiveUserSignInLogs
    | where TimeGenerated > ago(4h)
    | where ResultType == 0
    | summarize NI_Count = count(), NI_Countries = make_set(Location), NI_IPs = make_set(IPAddress)
      by UserPrincipalName
  ) on UserPrincipalName
| where NI_Count > 10
| project
    UserPrincipalName,
    MFAAttempts,
    FirstMFAPrompt   = FirstAttempt,
    MFASuccessTime,
    SuccessIP,
    NI_Count,
    NI_Countries
| order by MFAAttempts desc

Explanation

This query is designed to detect a specific type of cyberattack known as an "MFA Fatigue Attack" or "Push Bombing," followed by "Silent Token Abuse." Here's a simplified explanation of what the query does:

  1. Purpose: The query aims to identify situations where a user is bombarded with multiple Multi-Factor Authentication (MFA) prompts (often to the point of annoyance or fatigue), leading them to eventually approve one. After this approval, the attacker uses the session to perform numerous non-interactive sign-ins, which are typically automated and do not require user interaction.

  2. Data Sources: It uses data from Azure Active Directory, specifically looking at logs related to user sign-ins and non-interactive sign-ins.

  3. Detection Logic:

    • MFA Attempts: It first identifies users who have received at least three failed MFA prompts within the last four hours.
    • MFA Success: It then checks if these users eventually had a successful MFA sign-in.
    • Non-Interactive Sign-Ins: After a successful MFA, it looks for users who have more than ten non-interactive sign-ins from different locations or IPs within the same timeframe.
  4. Alert Generation: If the above conditions are met, the query generates an alert indicating a potential MFA fatigue attack. The alert includes details such as the number of MFA attempts, the time of the first MFA prompt, the time of successful MFA, the IP address used for the successful sign-in, and the number of non-interactive sign-ins.

  5. Severity and Response: The alert is marked with high severity, and an incident is created for further investigation. The system is configured to group related alerts by user account to streamline incident management.

  6. MITRE ATT&CK Framework: The query references specific techniques from the MITRE ATT&CK framework, which is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

In summary, this query is a security measure to detect and alert on suspicious patterns of MFA usage that could indicate an attack, helping organizations to respond quickly to potential security breaches.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

SigninLogsAADNonInteractiveUserSignInLogsUserPrincipalNameIPAddressLocationMFAAttemptsMFAFatigueMFASuccessTimeSuccessIPNI_CountNI_Countries

Operators

letinsummarizebywhereagojoinkindonprojectorderdescmincountmake_settostring

Severity

High

Tactics

CredentialAccessDefenseEvasion

MITRE Techniques

Frequency: 1h

Period: 4h

Actions

GitHub