MFA Flood

Detects potential MFA flood attacks. After attackers acquire account credentials, they may abuse the automatic generation of push notifications to MFA services (such as Duo Push, Microsoft Authenticator, Okta) to have the user grant access to their account.

A user will fail this check if they have failed 5 or more authentications within a 1 minute timeframe.

Recommended Actions

Check with the user if the failed login attempts were initiated by the user.

Check for suspicious access to applications in the period after the MFA flood attack.

Check if the username was in any known data breaches and update the account password if needed.

Default Check Settings

Number of failed authentications:5

Timeframe minutes:1

Compatibility

Duo

Microsoft Entra ID

Okta

Last updated