AN0454: Analytic 0454
Detect user account logon attempts that trigger multiple MFA challenges through enterprise identity integrations, especially if MFA push requests are generated without successful interactive login.
Analyst context for executives and security teams
This analytic is about spotting repeated MFA challenges tied to user logon attempts, especially push prompts that appear without a successful interactive login. For leaders, the practical issue is identity resilience: excessive or unexplained MFA prompts can indicate pressure on user accounts and can also create help desk noise, user fatigue, and uncertainty during incident triage.
Executive priority
Prioritize this as an identity and SOC readiness question: can the organization prove when MFA challenges were generated, whether a real interactive login succeeded, and which users, devices, or integrations were involved? This matters for incident decision-making, audit evidence around access controls, and reducing business disruption from account lockouts or user fatigue. Because the object is limited to macOS as the supplied platform and provides no tactic mapping or relationships, leaders should treat it as a validation prompt rather than a complete coverage claim.
Technical view
SOC and detection teams should validate whether enterprise identity integrations record MFA challenge creation, challenge outcome, associated username, source address, device or host context, application, and whether an interactive login completed. The analytic specifically points to multiple MFA challenges and push requests without successful interactive login, so correlation between identity-provider MFA events and authentication success/failure events is the core requirement. For macOS environments, teams should also confirm whether endpoint, device-management, or identity integration logs can connect user activity on managed macOS systems to the identity events.
Likely telemetry
- Identity provider authentication logs
- MFA challenge and push notification events
- Interactive login success and failure records
- User, device, application, and source network metadata from enterprise identity integrations
- macOS endpoint or device-management context where available
Detection direction
- Correlate repeated MFA challenge generation with absence of successful interactive login for the same user and time window.
- Tune thresholds to reduce false positives from legitimate retry behavior, enrollment issues, travel, device changes, or user error.
- Validate that MFA push events are logged even when the user does not approve or complete login.
- Check for blind spots where SaaS applications, federated identity integrations, or macOS-managed devices do not forward complete authentication and MFA outcome data.
- Ensure alerts preserve enough context for triage: affected user, application, source, device context, challenge count, outcome, and related successful logins.
Mitigation priorities
- Confirm MFA logging is enabled and retained for enterprise identity integrations.
- Standardize correlation between MFA challenge events and authentication success/failure events.
- Review conditional access and MFA policies to ensure suspicious repeated prompts can be investigated and contained.
- Prepare incident response playbooks for user verification, session review, credential reset decisions, and evidence preservation when unexplained MFA prompts occur.
- Use reporting from this analytic area as compliance evidence that MFA control operation is monitored, not merely configured.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique. It has no tactic mapping, no relationship context, and no official detection logic beyond the description. The strongest defensible use is to guide identity telemetry validation and SOC correlation around repeated MFA challenges without completed interactive login.
No official detection query, thresholds, data sources, related techniques, adversary relationships, or active exploitation context were supplied. Coverage depends on the organization’s identity provider, MFA implementation, logging configuration, retention, and ability to correlate events with macOS user/device context.
Analytic 0454
Detect user account logon attempts that trigger multiple MFA challenges through enterprise identity integrations, especially if MFA push requests are generated without successful interactive login.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d9adc7e1bf8a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0454Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.