Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
Adversaries in possession of credentials to Valid Accounts may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account.
In some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-02 | Account Management | Protects | T1621 | Multi-Factor Authentication Request Generation | |
| AC-06 | Least Privilege | Protects | T1621 | Multi-Factor Authentication Request Generation | |
| CM-05 | Access Restrictions for Change | Protects | T1621 | Multi-Factor Authentication Request Generation | |
| IA-02 | Identification and Authentication (organizational Users) | Protects | T1621 | Multi-Factor Authentication Request Generation | |
| IA-03 | Device Identification and Authentication | Protects | T1621 | Multi-Factor Authentication Request Generation | |
| IA-05 | Authenticator Management | Protects | T1621 | Multi-Factor Authentication Request Generation | |
| ME-IP-E5 | Identity Protection | Technique Scores | T1621 | Multi-Factor Authentication Request Generation |
Comments
During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization.
Risk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.
License Requirements:
Microsoft Entra ID P2
References
|
| ME-CA-E5 | Conditional Access | Technique Scores | T1621 | Multi-Factor Authentication Request Generation |
Comments
Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.
References
|
| DEF-IR-E5 | Incident Response | Technique Scores | T1621 | Multi-Factor Authentication Request Generation |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to Multi-Factor Authentication Request Generation attacks due to Incident Response monitoring MFA application logs for suspicious events.
License Requirements:
Microsoft Defender XDR
References
|
| DO365-AG-E5 | App Governance | Technique Scores | T1621 | Multi-Factor Authentication Request Generation |
Comments
App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization
App Governance Detects Multi-Factor Authentication Request Generation attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.
License Requirements:
Microsoft Defender for Cloud Apps
References
|
| DO365-ATH-E5 | Advanced Threat Hunting | Technique Scores | T1621 | Multi-Factor Authentication Request Generation |
Comments
Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.
Advanced Threat Hunting Detects Multi-Factor Authentication Request Generation attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.
License Requirements:
Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2
References
|