Query Details

MFA Fatigue Attack Followed by ADFS Federation Pivot

19 ADFS MFA Fatigue Federation Pivot

Query

let MFAFatigue =
    SigninLogs
    | where TimeGenerated > ago(1d)
    | where ResultType in (50074, 500121, 50076)
    | summarize
        MFAAttempts  = count(),
        FirstAttempt = min(TimeGenerated)
      by UserPrincipalName;
let MFASuccess =
    SigninLogs
    | where TimeGenerated > ago(1d)
    | where ResultType == 0
    | where AuthenticationRequirement == "multiFactorAuthentication"
    | summarize MFASuccessTime = min(TimeGenerated)
      by UserPrincipalName;
MFAFatigue
| where MFAAttempts >= 3
| join kind=inner MFASuccess on UserPrincipalName
| where MFASuccessTime > FirstAttempt
| join kind=inner (
    ADFSSignInLogs
    | where TimeGenerated > ago(1d)
    | where ResultType == 0
    | summarize
        ADFS_Count     = count(),
        ADFS_Countries = make_set(Location),
        ADFS_IPs       = make_set(IPAddress)
      by UserPrincipalName
  ) on UserPrincipalName
| where ADFS_Count > 5
| project
    UserPrincipalName,
    MFAAttempts,
    FirstMFAPrompt = FirstAttempt,
    MFASuccessTime,
    ADFS_Count,
    ADFS_Countries,
    ADFS_IPs
| order by MFAAttempts desc

Explanation

This query is designed to detect a specific type of cyber attack known as the "MFA fatigue followed by ADFS federation pivot." Here's a simple breakdown of what it does:

  1. Purpose: The query identifies a potential attack where a user is overwhelmed with multiple Multi-Factor Authentication (MFA) prompts (MFA fatigue) and eventually approves one. The attacker then uses this approved session to access resources through ADFS (Active Directory Federation Services).

  2. Data Sources: It uses logs from Azure Active Directory, specifically the SigninLogs and ADFSSignInLogs.

  3. Detection Logic:

    • It first identifies users who have received 3 or more MFA prompts within a day.
    • It checks if any of these prompts were eventually approved (successful MFA).
    • It then looks for subsequent sign-ins to ADFS-federated resources by the same user within the same session window.
    • It flags cases where there are more than 5 successful ADFS sign-ins, indicating a possible attack.
  4. Alert Details:

    • If such activity is detected, an alert is generated with details like the user's name, number of MFA attempts, and details of the ADFS sign-ins (such as locations and IP addresses).
    • The alert is marked with high severity due to the potential risk involved.
  5. Incident Management:

    • The system is set to automatically create an incident if this pattern is detected.
    • It groups related alerts to manage incidents effectively.

Overall, this query helps in identifying and alerting security teams about potential unauthorized access attempts that exploit user fatigue in responding to MFA prompts, followed by unauthorized access to federated resources.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SigninLogsADFSSignInLogs

Keywords

MFAADFSUserAccountAuthenticationSessionResourcesFederationLogsIPAddressLocationTimeGenerated

Operators

let|where>ago()in()summarize=count()min()by==joinkind=innermake_set()onprojectorder bydesc

Severity

High

Tactics

CredentialAccessInitialAccessDefenseEvasion

MITRE Techniques

Frequency: 1h

Period: 1d

Actions

GitHub