Query Details

MFA Fatigue Attack - Push Bombing Followed by Silent Token Abuse

09 MFA Fatigue Silent Token Abuse

Query

let MFAFatigue =
    SigninLogs
    | where TimeGenerated > ago(4h)
    | where ResultType in (50074, 500121, 50076)  // MFA required, denied, interrupted
    | summarize
        MFAAttempts  = count(),
        FirstAttempt = min(TimeGenerated)
      by UserPrincipalName;
let MFASuccess =
    SigninLogs
    | where TimeGenerated > ago(4h)
    | where ResultType == 0
    | where AuthenticationRequirement == "multiFactorAuthentication"
    | summarize MFASuccessTime = min(TimeGenerated), SuccessIP = tostring(make_set(IPAddress)[0])
      by UserPrincipalName;
MFAFatigue
| where MFAAttempts >= 8
| join kind=inner MFASuccess on UserPrincipalName
| where MFASuccessTime > FirstAttempt
| join kind=inner (
    AADNonInteractiveUserSignInLogs
    | where TimeGenerated > ago(4h)
    | where ResultType == 0
    | summarize NI_Count = count(), NI_Countries = make_set(Location), NI_IPs = make_set(IPAddress)
      by UserPrincipalName
  ) on UserPrincipalName
| where NI_Count > 25
| project
    UserPrincipalName,
    MFAAttempts,
    FirstMFAPrompt   = FirstAttempt,
    MFASuccessTime,
    SuccessIP,
    NI_Count,
    NI_Countries
| order by MFAAttempts desc

Explanation

This query is designed to detect a specific type of cyberattack known as an "MFA Fatigue Attack" or "Push Bombing," followed by "Silent Token Abuse." Here's a simple breakdown of what the query does:

  1. Purpose: The query identifies instances where a user is bombarded with multiple failed Multi-Factor Authentication (MFA) prompts. This is a tactic used by attackers to annoy the user into approving an authentication request to stop the prompts. Once the attacker gains access, they use non-interactive tokens to access the system without further user interaction.

  2. Data Sources: The query uses data from Azure Active Directory, specifically looking at logs related to user sign-ins and non-interactive sign-ins.

  3. Detection Logic:

    • It first identifies users who have received at least 8 failed MFA prompts within the last 4 hours.
    • It then checks if the user eventually approved an MFA request (successful MFA) after these failed attempts.
    • After a successful MFA, it looks for a high number (more than 25) of non-interactive sign-ins from the same user, indicating potential misuse of tokens.
  4. Output: The query outputs details such as the user's name, the number of MFA attempts, the time of the first MFA prompt, the time of successful MFA, the IP address used for the successful MFA, the number of non-interactive sign-ins, and the countries from which these sign-ins originated.

  5. Alerting: If the pattern is detected, an alert is generated with details about the attack, including the number of MFA prompts and non-interactive sign-ins. This alert can be used to create an incident for further investigation.

  6. Severity and Tactics: The attack is classified as high severity and is associated with tactics like Credential Access and Defense Evasion, aligning with specific MITRE ATT&CK techniques.

Overall, this query helps security teams identify and respond to potential MFA fatigue attacks, which are a common method used by certain cybercriminal groups to gain unauthorized access to systems.

Details

David Alonso profile picture

David Alonso

Released: July 16, 2026

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

MFAFatigueAttackPushBombingSilentTokenAbuseUserSigninLogsAADNonInteractiveSignInIPAddressLocationAccountFullName

Operators

letwhereinsummarizecountminbyjoinkindonprojectorder bydescagotostringmake_set

Severity

High

Tactics

CredentialAccessDefenseEvasion

MITRE Techniques

Frequency: 1h

Period: 4h

Actions

GitHub