Multifactor Authentication Denied

Oct 12, 2023 · attack.initial_access attack.credential_access attack.t1078.004 attack.t1110 attack.t1621 ·

User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.

Sigma rule (View on GitHub)

 1title: Multifactor Authentication Denied
 2id: e40f4962-b02b-4192-9bfe-245f7ece1f99
 3status: test
 4description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
 5references:
 6    - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
 7author: AlertIQ
 8date: 2022/03/24
 9tags:
10    - attack.initial_access
11    - attack.credential_access
12    - attack.t1078.004
13    - attack.t1110
14    - attack.t1621
15logsource:
16    product: azure
17    service: signinlogs
18detection:
19    selection:
20        AuthenticationRequirement: 'multiFactorAuthentication'
21        Status|contains: 'MFA Denied'
22    condition: selection
23falsepositives:
24    - Users actually login but miss-click into the Deny button when MFA prompt.
25level: medium

References

https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

Read More

Multifactor Authentication Denied

Sigma rule (View on GitHub)

References

https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

Related rules