EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

O365 Multiple Failed MFA Requests For User

The following analytic identifies potential "MFA fatigue" attacks targeting Office 365 users by detecting more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. It leverages O365 management activity logs, focusing on Azure Active Directory events with the UserLoginFailed operation, a Success ResultStatus, and an ErrorNumber of 500121. This activity is significant as attackers may exploit MFA fatigue to gain unauthorized access by overwhelming users with repeated MFA requests. If confirmed malicious, this could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation is crucial.

MITRE ATT&CK

T1621

Detection Query

`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ResultStatus=Success ErrorNumber=500121
  | bucket span=10m _time
  | stats dc(_raw) as mfa_prompts values(LogonError) as LogonError values(signature) as signature values(action) as action values(src) as src
    BY user _time vendor_account
       vendor_product dest
  | where mfa_prompts > 9
  | `o365_multiple_failed_mfa_requests_for_user_filter`

Author

Mauricio Velazco, Splunk

Created

2026-03-10

Data Sources

O365 UserLoginFailed

References

Tags

Office 365 Account TakeoverScattered Lapsus$ Hunters
Raw Content
name: O365 Multiple Failed MFA Requests For User
id: fd22124e-dbac-4744-a8ce-be10d8ec3e26
version: 10
date: '2026-03-10'
author: Mauricio Velazco, Splunk
status: production
type: TTP
data_source:
    - O365 UserLoginFailed
description: The following analytic identifies potential "MFA fatigue" attacks targeting Office 365 users by detecting more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. It leverages O365 management activity logs, focusing on Azure Active Directory events with the UserLoginFailed operation, a Success ResultStatus, and an ErrorNumber of 500121. This activity is significant as attackers may exploit MFA fatigue to gain unauthorized access by overwhelming users with repeated MFA requests. If confirmed malicious, this could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation is crucial.
search: |-
    `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ResultStatus=Success ErrorNumber=500121
      | bucket span=10m _time
      | stats dc(_raw) as mfa_prompts values(LogonError) as LogonError values(signature) as signature values(action) as action values(src) as src
        BY user _time vendor_account
           vendor_product dest
      | where mfa_prompts > 9
      | `o365_multiple_failed_mfa_requests_for_user_filter`
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives: Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.
references:
    - https://attack.mitre.org/techniques/T1621/
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Multiple failed MFA requestes for $user$
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Office 365 Account Takeover
        - Scattered Lapsus$ Hunters
    asset_type: O365 Tenant
    mitre_attack_id:
        - T1621
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: identity
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.log
          source: o365
          sourcetype: o365:management:activity