Multifactor Authentication Denied
User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
Sigma rule (View on GitHub)
1title: Multifactor Authentication Denied
2id: e40f4962-b02b-4192-9bfe-245f7ece1f99
3status: test
4description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
5references:
6 - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
7author: AlertIQ
8date: 2022-03-24
9tags:
10 - attack.privilege-escalation
11 - attack.persistence
12 - attack.defense-evasion
13 - attack.initial-access
14 - attack.credential-access
15 - attack.t1078.004
16 - attack.t1110
17 - attack.t1621
18logsource:
19 product: azure
20 service: signinlogs
21detection:
22 selection:
23 AuthenticationRequirement: 'multiFactorAuthentication'
24 Status|contains: 'MFA Denied'
25 condition: selection
26falsepositives:
27 - Users actually login but miss-click into the Deny button when MFA prompt.
28level: medium
References
Related rules
- Multifactor Authentication Interrupted
- Bitbucket User Login Failure
- Failed Authentications From Countries You Do Not Operate Out Of
- Potential MFA Bypass Using Legacy Client Authentication
- Sign-in Failure Due to Conditional Access Requirements Not Met