Detection: Azure AD Multiple Denied MFA Requests For User

Updated Date: 2026-05-13 ID: d0895c20-de71-4fd2-b56c-3fcdb888eba1 Author: Mauricio Velazco, Splunk Type: TTP Product: Splunk Enterprise Security

Description

The following analytic detects an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically when more than nine MFA prompts are declined. It leverages Azure Active Directory (Azure AD) sign-in logs, focusing on "Sign-in activity" events with error code 500121 and additional details indicating "MFA denied; user declined the authentication." This behavior is significant as it may indicate a targeted attack or account compromise attempt, with the user actively declining unauthorized access. If confirmed malicious, it could lead to data exfiltration, lateral movement, or further malicious activities.

Search

 1`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity"
 2  
 3| rename properties.* as *
 4  
 5| search status.errorCode=500121 status.additionalDetails="MFA denied; user declined the authentication"
 6  
 7| bucket span=10m _time
 8  
 9| rename userAgent as user_agent
10  
11| fillnull
12  
13| stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(user_agent) as user_agent values(src) as src
14    BY user status.additionalDetails vendor_account
15       vendor_product signature _time
16  
17| where count > 9
18  
19| `security_content_ctime(firstTime)`
20  
21| `security_content_ctime(lastTime)`
22  
23| `azure_ad_multiple_denied_mfa_requests_for_user_filter`

Data Source

Name	Platform	Sourcetype	Source
Azure Active Directory Sign-in activity	Azure	`'azure:monitor:aad'`	`'Azure AD'`

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
azure_ad_multiple_denied_mfa_requests_for_user_filter	`search *`

azure_ad_multiple_denied_mfa_requests_for_user_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1621	Multi-Factor Authentication Request Generation	Credential Access

Exploitation

DE.CM

CIS 10

LAPSUS$

Scattered Spider

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Finding (Notable)	Yes
Rule Title	`%name%`
Rule Description	`%description%`
Notable Event Fields	user, dest
Creates Intermediate Finding (Risk Event)	No

TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.

Implementation

You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.

Known False Positives

Multiple denifed MFA requests in a short period of span may also be a sign of authentication errors. Investigate and filter as needed.

Associated Analytic Story

Azure Active Directory Account Takeover

Finding

Title	Entity Field	Entity Type	Risk Score
User $user$ denied more than 9 MFA requests in a timespan of 10 minutes.	user	user	50

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`Azure AD`	`azure:monitor:aad`
Integration	✅ Passing	Dataset	`Azure AD`	`azure:monitor:aad`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 13