Fundamentals
T1110.004, T1621MFA Fatigue
How attackers exploit push-based MFA through fatigue attacks — why push bombing works, what the user sees, how to detect it in Azure AD sign-in logs, and how to prevent and respond when MFA fatigue succeeds.
View on Graph
What MFA Fatigue Is and Why Push Bombing Works
MFA fatigue (or push bombing) is an attack where an adversary with valid credentials bombards the target user with multi-factor authentication push requests — typically via phone notification, SMS, or voice call — until the user approves one, either by accident, to stop the notifications, or because they mistakenly believe it is legitimate.
The attack requires only two things: the user’s valid password (obtained via credential stuffing, phishing, or a prior breach) and the user’s phone number or authenticator registration. The MFA app does the rest — the attacker just keeps clicking “send push” until the user breaks.
MITRE ATT&CK maps this to T1110.004 (Credential Stuffing) and T1621 (Multi-Factor Authentication Request Generation).
Why It Works
| Factor | Explanation |
|---|---|
| Notification fatigue | Users receiving 10+ push notifications in rapid succession will eventually approve one just to make the alerts stop, especially during meetings or after hours. |
| Legitimate-looking prompts | The push notification looks exactly like a real MFA prompt — because it is one. There is no visual difference between a legitimate prompt and an attacker-initiated one. |
| No context in standard pushes | Older MFA push notifications (without number matching) simply say “Approve sign-in?” with no indication of the location, device, or application requesting authentication. |
| SSPR abuse | If self-service password reset (SSPR) is configured to use the same MFA method, attackers can trigger MFA pushes by initiating password resets — no credential compromise required. |
The technique rose to global prominence in the September 2022 Uber breach, where the Lapsus$ group compromised an external contractor by flooding them with MFA push requests for over an hour until the contractor accepted one, accompanied by a WhatsApp message claiming to be from Uber IT.
Detection — Finding MFA Fatigue in Azure AD / Microsoft Entra ID Logs
MFA fatigue attacks leave clear forensic traces. The challenge is that a single successful MFA approval looks identical to a legitimate login. The detection lies in the pattern — not the individual event.
Key Azure AD Sign-In Log Fields
The SignInLogs table in Azure Log Analytics is the primary detection source. Key fields:
| Field | What It Tells You |
|---|---|
UserPrincipalName | Which user was targeted |
AppDisplayName | Which application was being accessed (usually Azure Portal, Office 365, or a VPN app) |
IPAddress | Source IP of the authentication attempt. Compare to user’s typical IP geolocation. |
ClientAppUsed | Browser, mobile app, or legacy auth. Legacy auth + MFA fatigue = high confidence compromise. |
AuthenticationRequirement | multiFactorAuthentication indicates MFA was enforced |
Status | Success (user approved) or Failure (user denied or timed out) |
MfaDetail | Which MFA method was used (push notification, SMS, voice call) |
DeviceDetail | Browser/OS info — attacker’s device fingerprint often differs from the user’s |
RiskLevelAggregated | Azure AD Identity Protection risk score (low/medium/high) |
RiskEventTypes | Specific risk detections (atypical travel, anonymous IP, unfamiliar properties) |
Detection Queries
KQL — Detect MFA Fatigue (Multiple Failed + One Success)
// Find users who had many MFA-denied sign-ins followed by a successful one
SigninLogs
| where TimeGenerated > ago(1h)
| where AuthenticationRequirement == "multiFactorAuthentication"
| summarize
FailedAttempts = countif(Status != "Success"),
SuccessfulAttempts = countif(Status == "Success"),
IPAddresses = make_set(IPAddress),
Locations = make_set(Location)
by UserPrincipalName, bin(TimeGenerated, 1m)
| where FailedAttempts >= 5 and SuccessfulAttempts >= 1
| project UserPrincipalName, FailedAttempts, SuccessfulAttempts, IPAddresses, LocationsThis query finds users who received 5+ MFA push denials within a 1-minute window followed by at least one success — the classic MFA fatigue pattern.
KQL — Detect MFA from Unfamiliar Location
SigninLogs
| where TimeGenerated > ago(6h)
| where AuthenticationRequirement == "multiFactorAuthentication"
| where Status == "Success"
| where IPAddress !in (
SigninLogs
| where TimeGenerated > ago(14d)
| where UserPrincipalName == "targetuser@domain.com"
| project IPAddress
| distinct IPAddress
)
| project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, DeviceDetailKQL — Identify SSPR-Based MFA Fatigue
AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName == "Self-service password reset"
| where Result == "Success"
| summarize ResetCount = count() by UserPrincipalName, bin(TimeGenerated, 5m)
| where ResetCount >= 3Windows Security Event IDs for MFA-Related Detection
MFA events themselves are logged by the identity provider (Azure AD, Duo, Okta). However, once the attacker gains access, Windows Event Logs on the target endpoint catch the aftermath:
| Event ID | Source | What to Look For |
|---|---|---|
| 4648 | Windows Security | A logon was attempted using explicit credentials. After MFA fatigue success, the attacker may use runas or scheduled tasks to move laterally. |
| 4624 | Windows Security | Successful logon from the attacker’s session. Compare LogonType and source IP. |
| 4625 | Windows Security | Failed logon attempts — the initial credential stuffing phase that preceded the MFA attack. |
| 4688 | Windows Security | Process creation — after MFA approval, look for unusual processes (powershell.exe -EncodedCommand, rundll32.exe with suspicious DLLs). |
| 1001 | Windows Error Reporting (EDR) | Behavioral detections triggered after the attacker gains access. |
| 8004 | AAD STS (Azure AD) | MFA failure from unknown device. Compare to the user’s registered devices. |
Duo / Okta Detection Patterns
Duo — Logs every push notification, including device platform, location, and whether the push was approved or denied. Key signal: multiple denied pushes followed by an approval from an unfamiliar device or location.
Okta — System Log events policy.evaluate_sign_on and user.authentication.authenticate with factorResult=CHALLENGE (MFA required). High count of DENY results followed by ALLOW from a new IP is the pattern.
Prevention — Stopping MFA Fatigue Before It Starts
| Control | How It Helps | Implementation |
|---|---|---|
| Number matching | Users must enter a number displayed on the login screen into their authenticator app. A push alone is never sufficient. | Enable in Microsoft Entra ID: Authentication methods > Microsoft Authenticator > Require number matching. |
| Geolocation blocking | Block MFA pushes from countries where your org has no presence. | Conditional Access policy per location. |
| Compliant device requirement | Require the device to be Intune-compliant or domain-joined before MFA push is accepted. | Conditional Access: Require device to be marked as compliant. |
| Token Protection / Conditional Access | Bind authentication sessions to specific devices. Replay from another device or location is rejected. | Enable Token Protection for Microsoft Entra ID. |
| Reduced push lifetime | Shorten the MFA push timeout so the attacker has less time to flood. | Configure MFA session lifetime. Default is 90 seconds. Consider reducing to 30 seconds. |
| Passwordless MFA | Replaces password + push with biometric or FIDO2 — no password to steal means no credential stuffing. | Windows Hello for Business, FIDO2 security keys, passkeys. |
| User education | Train users: if you receive unexpected MFA pushes, always DENY and report to IT immediately — even if you receive 20 in a row. | Security awareness training, simulated MFA fatigue drills. |
Response — When MFA Fatigue Succeeds
If a user confirms they approved an unexpected MFA push (or the detection query above fires), execute the following steps immediately:
- Force password reset for the affected user. Do not allow the same password.
- Invalidate all current sessions — revoke refresh tokens and session cookies in Entra ID.
- Review sign-in logs for the past 24–72 hours. The attacker may have accessed multiple applications.
- Check mailbox rules — attackers often create forwarding rules or inbox rules to hide activity (look for
New-InboxRulein Exchange admin audit logs). - Audit Azure AD / Okta / Duo logs for privileged role changes, application registrations, or service principal modifications.
- Review EDR telemetry on the user’s endpoint for processes spawned after the login session — the attacker may have deployed persistence.
- Report to CISA if the organization is in a critical infrastructure sector (see CISA Alert AA22-074A).
Walkthrough — A Realistic MFA Fatigue Incident
Scenario: A mid-sized law firm uses Microsoft Authenticator push notifications for MFA. An attacker obtains the CFO’s password from a credential stuffing site.
| Step | What Happens | Detection Signal |
|---|---|---|
| 1. Recon | Attacker runs password spray against the firm’s Office 365 login page. Hits the CFO’s account after 5 attempts. | 4625 events in Azure AD: 5 failed logins, then 4624 success with a second factor required. |
| 2. Push bombing | Attacker initiates 20 MFA push requests to the CFO’s phone in 3 minutes. The CFO is in a meeting, phone buzzing constantly. | Azure AD SignInLogs: 19 failure (user denied or timed out), then 1 success after 2 minutes. |
| 3. Access gained | CFO hits “Approve” to stop the buzzing. Attacker now has a session token for Office 365. | Azure AD sign-in log: successful MFA from Russian Federation (the attacker’s VPN exit node). |
| 4. Recon post-access | Attacker browses SharePoint, reads emails, and creates an inbox rule to auto-forward emails about financial transactions. | Exchange admin audit log: New-InboxRule "Forward" created from CFO’s account. |
| 5. Data exfiltration | Attacker downloads 500 documents from SharePoint and OneDrive over 2 hours. | SharePoint audit log: bulk FileDownloaded events from a single IP. |
Related
- MITRE ATT&CK for Triage — covers the mitre att&ck for triage concepts
- Credential Stuffing — detection and response for T1110 techniques
- Azure Sentinel — detection and response for T1654 techniques
- Sigma Rules — detection and response for T1059, T1110 techniques
- Active Directory Basics — covers the active directory basics concepts