Multifactor Authentication Denied
User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
Sigma rule (View on GitHub)
1title: Multifactor Authentication Denied
2id: e40f4962-b02b-4192-9bfe-245f7ece1f99
3status: test
4description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
5references:
6 - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
7author: AlertIQ
8date: 2022/03/24
9tags:
10 - attack.initial_access
11 - attack.credential_access
12 - attack.t1078.004
13 - attack.t1110
14 - attack.t1621
15logsource:
16 product: azure
17 service: signinlogs
18detection:
19 selection:
20 AuthenticationRequirement: 'multiFactorAuthentication'
21 Status|contains: 'MFA Denied'
22 condition: selection
23falsepositives:
24 - Users actually login but miss-click into the Deny button when MFA prompt.
25level: medium
References
Related rules
- User Access Blocked by Azure Conditional Access
- Hack Tool User Agent
- External Remote Service Logon from Public IP
- Account Lockout
- Login to Disabled Account