EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Azure AD Multiple Denied MFA Requests For User

The following analytic detects an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically when more than nine MFA prompts are declined. It leverages Azure Active Directory (Azure AD) sign-in logs, focusing on "Sign-in activity" events with error code 500121 and additional details indicating "MFA denied; user declined the authentication." This behavior is significant as it may indicate a targeted attack or account compromise attempt, with the user actively declining unauthorized access. If confirmed malicious, it could lead to data exfiltration, lateral movement, or further malicious activities.

MITRE ATT&CK

T1621

Detection Query

`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity"
  | rename properties.* as *
  | search status.errorCode=500121 status.additionalDetails="MFA denied; user declined the authentication"
  | bucket span=10m _time
  | rename userAgent as user_agent
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(user_agent) as user_agent values(src) as src
    BY user status.additionalDetails vendor_account
       vendor_product signature _time
  | where count > 9
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `azure_ad_multiple_denied_mfa_requests_for_user_filter`

Author

Mauricio Velazco, Splunk

Created

2026-03-10

Data Sources

Azure Active Directory Sign-in activity

References

Tags

Azure Active Directory Account Takeover
Raw Content
name: Azure AD Multiple Denied MFA Requests For User
id: d0895c20-de71-4fd2-b56c-3fcdb888eba1
version: 11
date: '2026-03-10'
author: Mauricio Velazco, Splunk
status: production
type: TTP
data_source:
    - Azure Active Directory Sign-in activity
description: The following analytic detects an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically when more than nine MFA prompts are declined. It leverages Azure Active Directory (Azure AD) sign-in logs, focusing on "Sign-in activity" events with error code 500121 and additional details indicating "MFA denied; user declined the authentication." This behavior is significant as it may indicate a targeted attack or account compromise attempt, with the user actively declining unauthorized access. If confirmed malicious, it could lead to data exfiltration, lateral movement, or further malicious activities.
search: |-
    `azure_monitor_aad` category=SignInLogs operationName="Sign-in activity"
      | rename properties.* as *
      | search status.errorCode=500121 status.additionalDetails="MFA denied; user declined the authentication"
      | bucket span=10m _time
      | rename userAgent as user_agent
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(user_agent) as user_agent values(src) as src
        BY user status.additionalDetails vendor_account
           vendor_product signature _time
      | where count > 9
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `azure_ad_multiple_denied_mfa_requests_for_user_filter`
how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.
known_false_positives: Multiple denifed MFA requests in a short period of span may also be a sign of authentication errors. Investigate and filter as needed.
references:
    - https://www.mandiant.com/resources/blog/russian-targeting-gov-business
    - https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/
    - https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/
    - https://attack.mitre.org/techniques/T1621/
    - https://attack.mitre.org/techniques/T1078/004/
    - https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: User $user$ denied more than 9 MFA requests in a timespan of 10 minutes.
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Azure Active Directory Account Takeover
    asset_type: Azure Active Directory
    atomic_guid: []
    mitre_attack_id:
        - T1621
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: identity
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.log
          source: Azure AD
          sourcetype: azure:monitor:aad