Suspicious MFA request reported by user in Entra ID

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-01-14

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AzureAD Audit Log
Detection Modules	Identity Threat Module
Detector Tags
ATT&CK Tactic	Persistence (TA0003) Initial Access (TA0001)
ATT&CK Technique	Valid Accounts (T1078)
Severity	Informational

Description

A user has flagged an MFA request as suspicious in Microsoft Entra ID. This could indicate a potential compromised user account or unauthorized access attempt.

Attacker's Goals

An attacker may attempt to gain unauthorized access to the account.

Investigative actions

Check if the authentication attempt was legitimate.
Investigate any recent unusual login behavior or IP addresses associated with the account.
Verify whether the user has recently changed their authentication methods or account settings.
Follow the account for possible suspicious or unusual logins.

Variations

Suspicious MFA request reported by a sensitive user in Entra ID

Synopsis

ATT&CK Tactic

ATT&CK Technique

Valid Accounts (T1078)

Severity

Low

Description

A user has flagged an MFA request as suspicious in Microsoft Entra ID. This could indicate a potential compromised user account or unauthorized access attempt.

Attacker's Goals

An attacker may attempt to gain unauthorized access to the account.

Investigative actions

Check if the authentication attempt was legitimate.
Investigate any recent unusual login behavior or IP addresses associated with the account.
Verify whether the user has recently changed their authentication methods or account settings.
Follow the account for possible suspicious or unusual logins.