16 lines
1.0 KiB
JSON
16 lines
1.0 KiB
JSON
{
|
|
"doc_id": "KB-O365-MFA-FATIGUE",
|
|
"doc_type": "kb",
|
|
"title": "MFA Fatigue Detection Notes",
|
|
"scenario": "o365_suspicious_login",
|
|
"summary": "Patterns for identifying MFA fatigue / push bombing during account compromise attempts.",
|
|
"applicability": ["azuread_impossible_travel", "azuread_suspicious_login"],
|
|
"key_points": ["Repeated MFA prompts preceding one successful prompt is suspicious.", "User-reported prompt fatigue is strong supporting evidence.", "MFA fatigue is often coupled with credential theft rather than password spray alone."],
|
|
"investigation_guidance": ["Review MFA event counts and timing.", "Check if the user acknowledged unexpected prompts.", "Look for subsequent session hijacking or mailbox abuse."],
|
|
"decision_points": ["Prompt flood plus user denial usually warrants immediate containment."],
|
|
"related_entities": {"ttps": ["T1621"], "iocs": []},
|
|
"related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "cases": []},
|
|
"tags": ["kb", "o365", "mfa-fatigue"],
|
|
"updated_at": "2026-04-10T09:35:00+08:00"
|
|
}
|