GCP Multiple Failed MFA Requests For User

name: GCP Multiple Failed MFA Requests For User
id: cbb3cb84-c06f-4393-adcc-5cb6195621f1
version: 10
date: '2026-03-10'
author: Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic detects multiple failed multi-factor authentication (MFA) requests for a single user within a Google Cloud Platform (GCP) tenant. It triggers when 10 or more MFA prompts fail within a 5-minute window, using Google Workspace login failure events. This behavior is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this activity could lead to unauthorized access, allowing attackers to compromise accounts and potentially escalate privileges within the GCP environment.
data_source:
    - Google Workspace
search: |-
    `gws_reports_login` event.name=login_failure `gws_login_mfa_methods`
      | bucket span=5m _time
      | stats dc(_raw) AS mfa_prompts values(user) AS user
        BY src_ip, login_challenge_method, _time
      | where mfa_prompts >= 10
      | `gcp_multiple_failed_mfa_requests_for_user_filter`
how_to_implement: You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `mfa_prompts` threshold values according to your environment. Specifically, this analytic leverages the User log events.
known_false_positives: Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.
references:
    - https://www.mandiant.com/resources/blog/russian-targeting-gov-business
    - https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/
    - https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/
    - https://attack.mitre.org/techniques/T1621/
    - https://attack.mitre.org/techniques/T1078/004/
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Multiple Failed MFA requests for user $user$
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects:
        - field: src_ip
          type: ip_address
tags:
    analytic_story:
        - GCP Account Takeover
        - Scattered Lapsus$ Hunters
    asset_type: Google Cloud Platform tenant
    mitre_attack_id:
        - T1078.004
        - T1586.003
        - T1621
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: identity
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/gws_login.log
          source: gws:reports:login
          sourcetype: gws:reports:login