MFA Fatigue Attack - Push Bombing Followed by Silent Token Abuse
09 MFA Fatigue Silent Token Abuse
Query
let MFAFatigue =
SigninLogs
| where TimeGenerated > ago(4h)
| where ResultType in (50074, 500121, 50076) // MFA required, denied, interrupted
| summarize
MFAAttempts = count(),
FirstAttempt = min(TimeGenerated)
by UserPrincipalName;
let MFASuccess =
SigninLogs
| where TimeGenerated > ago(4h)
| where ResultType == 0
| where AuthenticationRequirement == "multiFactorAuthentication"
| summarize MFASuccessTime = min(TimeGenerated), SuccessIP = tostring(make_set(IPAddress)[0])
by UserPrincipalName;
MFAFatigue
| where MFAAttempts >= 8
| join kind=inner MFASuccess on UserPrincipalName
| where MFASuccessTime > FirstAttempt
| join kind=inner (
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(4h)
| where ResultType == 0
| summarize NI_Count = count(), NI_Countries = make_set(Location), NI_IPs = make_set(IPAddress)
by UserPrincipalName
) on UserPrincipalName
| where NI_Count > 25
| project
UserPrincipalName,
MFAAttempts,
FirstMFAPrompt = FirstAttempt,
MFASuccessTime,
SuccessIP,
NI_Count,
NI_Countries
| order by MFAAttempts descExplanation
This query is designed to detect a specific type of cyberattack known as an "MFA Fatigue Attack" or "Push Bombing," followed by "Silent Token Abuse." Here's a simple breakdown of what the query does:
-
Purpose: The query identifies instances where a user is bombarded with multiple failed Multi-Factor Authentication (MFA) prompts. This is a tactic used by attackers to annoy the user into approving an authentication request to stop the prompts. Once the attacker gains access, they use non-interactive tokens to access the system without further user interaction.
-
Data Sources: The query uses data from Azure Active Directory, specifically looking at logs related to user sign-ins and non-interactive sign-ins.
-
Detection Logic:
- It first identifies users who have received at least 8 failed MFA prompts within the last 4 hours.
- It then checks if the user eventually approved an MFA request (successful MFA) after these failed attempts.
- After a successful MFA, it looks for a high number (more than 25) of non-interactive sign-ins from the same user, indicating potential misuse of tokens.
-
Output: The query outputs details such as the user's name, the number of MFA attempts, the time of the first MFA prompt, the time of successful MFA, the IP address used for the successful MFA, the number of non-interactive sign-ins, and the countries from which these sign-ins originated.
-
Alerting: If the pattern is detected, an alert is generated with details about the attack, including the number of MFA prompts and non-interactive sign-ins. This alert can be used to create an incident for further investigation.
-
Severity and Tactics: The attack is classified as high severity and is associated with tactics like Credential Access and Defense Evasion, aligning with specific MITRE ATT&CK techniques.
Overall, this query helps security teams identify and respond to potential MFA fatigue attacks, which are a common method used by certain cybercriminal groups to gain unauthorized access to systems.
Details

David Alonso
Released: July 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 4h