O365 Multiple Failed MFA Requests For User

Original Source: [splunk source]
Name:O365 Multiple Failed MFA Requests For User
id:fd22124e-dbac-4744-a8ce-be10d8ec3e26
version:4
date:2024-09-30
author:Mauricio Velazco, Splunk
status:production
type:TTP
Description:The following analytic identifies potential "MFA fatigue" attacks targeting Office 365 users by detecting more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. It leverages O365 management activity logs, focusing on Azure Active Directory events with the UserLoginFailed operation, a Success ResultStatus, and an ErrorNumber of 500121. This activity is significant as attackers may exploit MFA fatigue to gain unauthorized access by overwhelming users with repeated MFA requests. If confirmed malicious, this could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation is crucial.
Data_source:
  • -O365 UserLoginFailed
search:`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ResultStatus=Success ErrorNumber=500121
| bucket span=10m _time
| stats dc(_raw) as mfa_prompts values(LogonError) as LogonError values(signature) as signature by user, _time
| where mfa_prompts > 9
| `o365_multiple_failed_mfa_requests_for_user_filter`

how_to_implement:You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives:Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.
References:
  -https://attack.mitre.org/techniques/T1621/
 drilldown_searches:
name:'View the detection results for - "$user$"'
search:'%original_detection_search% | search user = "$user$"'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
name:'View risk events for the last 7 days for - "$user$"'
search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'Office 365 Account Takeover'
  asset_type:O365 Tenant
  confidence:80
  impact:60
  message:Multiple failed MFA requestes for $user$
  mitre_attack_id:
    - 'T1621'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  risk_score:48
  required_fields:
    - '_time'
    - 'Workload'
    - 'Operation'
    - 'ResultStatus'
    - 'ErrorNumber'
    - 'user'
    - 'LogonError'
    - 'signature'
  security_domain:identity

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.log
  source: o365
  sourcetype: o365:management:activity
manual_test:None

Related Analytic Stories


Office 365 Account Takeover

© 2024 DetectionCode Website. All Rights Reserved.