title: Multifactor Authentication Denied
id: e40f4962-b02b-4192-9bfe-245f7ece1f99
status: test
description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
references:
    - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
author: AlertIQ
date: 2022-03-24
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1078.004
    - attack.t1110
    - attack.t1621
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        AuthenticationRequirement: 'multiFactorAuthentication'
        Status|contains: 'MFA Denied'
    condition: selection
falsepositives:
    - Users actually login but miss-click into the Deny button when MFA prompt.
level: medium

title: Multifactor Authentication Interrupted
id: 5496ff55-42ec-4369-81cb-00f417029e25
status: test
description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1078.004
    - attack.t1110
    - attack.t1621
logsource:
    product: azure
    service: signinlogs
detection:
    selection_50074:
        ResultType: 50074
        ResultDescription|contains: 'Strong Auth required'
    selection_500121:
        ResultType: 500121
        ResultDescription|contains: 'Authentication failed during strong authentication request'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium