Multifactor Authentication Denied

Aug 12, 2024 · attack.initial-access attack.credential-access attack.t1078.004 attack.t1110 attack.t1621 ·

User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.

Sigma rule (View on GitHub)

 1title: Multifactor Authentication Denied
 2id: e40f4962-b02b-4192-9bfe-245f7ece1f99
 3status: test
 4description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
 5references:
 6    - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
 7author: AlertIQ
 8date: 2022-03-24
 9tags:
10    - attack.initial-access
11    - attack.credential-access
12    - attack.t1078.004
13    - attack.t1110
14    - attack.t1621
15logsource:
16    product: azure
17    service: signinlogs
18detection:
19    selection:
20        AuthenticationRequirement: 'multiFactorAuthentication'
21        Status|contains: 'MFA Denied'
22    condition: selection
23falsepositives:
24    - Users actually login but miss-click into the Deny button when MFA prompt.
25level: medium

References

https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

Read More

Multifactor Authentication Denied

Sigma rule (View on GitHub)

References

https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

Related rules