MFA Fatigue Attack Followed by ADFS Federation Pivot
19 ADFS MFA Fatigue Federation Pivot
Query
let MFAFatigue =
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType in (50074, 500121, 50076)
| summarize
MFAAttempts = count(),
FirstAttempt = min(TimeGenerated)
by UserPrincipalName;
let MFASuccess =
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where AuthenticationRequirement == "multiFactorAuthentication"
| summarize MFASuccessTime = min(TimeGenerated)
by UserPrincipalName;
MFAFatigue
| where MFAAttempts >= 3
| join kind=inner MFASuccess on UserPrincipalName
| where MFASuccessTime > FirstAttempt
| join kind=inner (
ADFSSignInLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| summarize
ADFS_Count = count(),
ADFS_Countries = make_set(Location),
ADFS_IPs = make_set(IPAddress)
by UserPrincipalName
) on UserPrincipalName
| where ADFS_Count > 5
| project
UserPrincipalName,
MFAAttempts,
FirstMFAPrompt = FirstAttempt,
MFASuccessTime,
ADFS_Count,
ADFS_Countries,
ADFS_IPs
| order by MFAAttempts descExplanation
This query is designed to detect a specific type of cyber attack known as the "MFA fatigue followed by ADFS federation pivot." Here's a simple breakdown of what it does:
-
Purpose: The query identifies a potential attack where a user is overwhelmed with multiple Multi-Factor Authentication (MFA) prompts (MFA fatigue) and eventually approves one. The attacker then uses this approved session to access resources through ADFS (Active Directory Federation Services).
-
Data Sources: It uses logs from Azure Active Directory, specifically the SigninLogs and ADFSSignInLogs.
-
Detection Logic:
- It first identifies users who have received 3 or more MFA prompts within a day.
- It checks if any of these prompts were eventually approved (successful MFA).
- It then looks for subsequent sign-ins to ADFS-federated resources by the same user within the same session window.
- It flags cases where there are more than 5 successful ADFS sign-ins, indicating a possible attack.
-
Alert Details:
- If such activity is detected, an alert is generated with details like the user's name, number of MFA attempts, and details of the ADFS sign-ins (such as locations and IP addresses).
- The alert is marked with high severity due to the potential risk involved.
-
Incident Management:
- The system is set to automatically create an incident if this pattern is detected.
- It groups related alerts to manage incidents effectively.
Overall, this query helps in identifying and alerting security teams about potential unauthorized access attempts that exploit user fatigue in responding to MFA prompts, followed by unauthorized access to federated resources.
Details

David Alonso
Released: March 24, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1d