Azure AD MFA-Failed Suspicious Sign-On
Detection overview
Triggers
- A login attempt occurred to an account where both conditional access policies were not met and where sign-on attributes (such as location, device, etc.) that are unusual for the account.
Possible Root Causes
- An adversary has stolen a valid account and is attempting to use it as part of an attack but had not yet succeeded in circumventing MFA or other conditional access policies.
- A user has moved and performed a full refresh of their devices and failed to pass MFA or other conditional access policies.
Business Impact
- Adversaries will continue to attempt to bypass security controls until successful unless directly stopped.
- The compromise of a valid account may lead to the loss of confidentiality and integrity of any data and services that the account may access, and it may be used in service of additional lateral movement or attacks against other internal users.
Steps to Verify
- Investigate irregularities associated with this user’s login events for indications of a successful compromise.
- Validate whether these attempts were performed by the account’s proper owner.
Azure AD MFA-Failed Suspicious Sign-On
Possible root causes
Malicious Detection
Benign Detection
Azure AD MFA-Failed Suspicious Sign-On
Example scenarios
Azure AD MFA-Failed Suspicious Sign-On
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure AD MFA-Failed Suspicious Sign-On
Steps to investigate
Azure AD MFA-Failed Suspicious Sign-On
Related detections
No items found.