I've set up a tenant with a single user who's currently getting unsolicited Microsoft MFA (multi-factor authentication) notifications where they have to select from a list of numbers. They aren't trying to log in. We've already taken several security measures: we disabled their login, reset their password multiple times, and revoked all sessions. Despite all of this, the MFA pushes keep coming. Interestingly, our log files show many rejected login attempts from potential attackers, but there are no successful login attempts around the time of these pushes. After resetting MFA, the user is still getting random pushes even though there's no evidence in the logs of any valid login attempts at those times. I'm puzzled as to why these notifications haven't stopped after all the changes we've made.
5 Answers
It's possible that this user inadvertently used the same password across multiple sites, which could lead to these MFA pushes. The bad actors might be hoping for a lucky guess. Maybe change up the login UPN so that it’s different from their email—it adds another layer of security!
If the logs are piling up with bad attempts, you should consider blocking specific IPs or even entire countries. It might be a longer shot, but restricting access could help alleviate some of the pressure. Your defenses may need a little boost!
Sounds like you're dealing with some serious credential stuffing attacks. Even if the log shows failed attempts, those MFA pushes can still be triggered. I'd suggest looking at your conditional access logs; there might be policies that block logins after the password's been entered but before the MFA kicks in. Also, double-check if the MFA method aligns with what’s registered for that user. Sometimes, old tokens or cached credentials can cause confusion and send those pushes without a valid login.
Am I wrong in thinking that MFA pushes shouldn't occur if the password isn't correct? All those failed login attempts should block further progression to MFA. Yet, if those pushes keep coming, it might indicate the bad actors have valid credentials somewhere. It could be worth checking if any suspicious apps are linked to the account.
You might want to investigate if that email is linked to an old Microsoft personal account. The type of MFA prompt you're describing is more in line with personal accounts rather than Office 365 business accounts. Try seeing if there’s any chance the user has linked personal account credentials that they're not even aware of.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures