AN0453: Analytic 0453
Detect anomalous OAuth or SSO logins that repeatedly generate MFA challenges, particularly where MFA approvals are denied or timed out by the user.
Analyst context for executives and security teams
This analytic matters because repeated OAuth or SSO logins that trigger MFA prompts, especially prompts the user denies or ignores, can indicate pressure on identity controls in a SaaS environment. For leaders, the value is not just alerting on MFA events; it is validating whether identity telemetry can distinguish normal authentication friction from suspicious repeated challenge patterns that may require SOC or incident response action.
Executive priority
Prioritize this as an identity and SaaS resilience question: can the organization prove it sees repeated MFA challenges, denials, and timeouts across OAuth/SSO access paths, and can it triage them quickly enough to protect business-critical SaaS access? This supports incident decision-making, IAM control assurance, and audit evidence around MFA monitoring, but the supplied ATT&CK object does not specify impact, attribution, or active exploitation.
Technical view
For SOC, detection engineering, and IR teams, validate logging and correlation for SaaS OAuth/SSO authentication events where MFA challenges are repeatedly generated and where user responses are denied or timed out. Because ATT&CK does not provide a formal detection implementation or tactic mapping for this analytic, local baselining is required to define what constitutes anomalous repetition by user, application, source context, session, and time window.
Likely telemetry
- SaaS identity provider sign-in logs
- OAuth authentication events
- SSO authentication events
- MFA challenge issued events
- MFA approval, denial, and timeout outcomes
Detection direction
- Confirm that MFA challenge outcomes, including denied and timed-out prompts, are collected and searchable for SaaS OAuth/SSO logins.
- Correlate repeated MFA challenges for the same user or account context over a defined time window rather than treating each prompt as an isolated event.
- Baseline expected MFA retry behavior to reduce false positives from users with device issues, travel, session expiration, or legitimate authentication failures.
- Tune triage to prioritize repeated denied or timed-out MFA challenges, especially when patterns are anomalous for the user or application.
- Document blind spots where SaaS applications, identity providers, or SSO paths do not emit consistent MFA outcome telemetry.
Mitigation priorities
- Ensure SaaS SSO and OAuth authentication logs are enabled, retained, and available to the SOC or managed detection workflow.
- Review MFA policy coverage for SaaS access paths so that challenge events and outcomes are consistently enforced and recorded.
- Create an incident response playbook for repeated MFA challenge patterns, including user verification, session review, and account risk assessment.
- Use findings from detections to improve IAM monitoring, user education, and evidence collection for compliance readiness.
Analyst notes and limits
This is a detection analytic object for SaaS platforms focused on anomalous OAuth or SSO logins that repeatedly generate MFA challenges, particularly when users deny or do not complete the prompt. No ATT&CK relationships, tactic mapping, or official detection logic were supplied, so implementation should be based on local identity-provider telemetry and organizational baselines.
The supplied object has no relationship context and no official detection procedure beyond the description. It does not identify adversary groups, campaigns, software, impact, or active exploitation. Coverage and severity depend on the organization’s SaaS identity architecture, MFA logging fidelity, retention, and SOC workflow integration.
Analytic 0453
Detect anomalous OAuth or SSO logins that repeatedly generate MFA challenges, particularly where MFA approvals are denied or timed out by the user.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d966e06c1520… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0453Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.