AN0686: Analytic 0686
Correlate MFA push fatigue or unusual consent grant attempts with call activity where adversaries may have socially engineered the user over voice.
Analyst context for executives and security teams
This analytic matters because it links identity-provider signals with a common business risk: a user may be pressured over a phone call while receiving MFA prompts or consent requests. For leaders, the value is not just detecting an identity event, but recognizing when authentication or consent activity may be part of live social engineering that can bypass otherwise strong controls.
Executive priority
Prioritize this as an identity and incident-response readiness question: can the organization correlate unusual MFA push fatigue or consent grant attempts with call activity quickly enough to protect accounts and preserve evidence? The business decision is whether identity monitoring, help desk processes, telecom/call records, and SOC playbooks are integrated well enough to identify and contain suspected voice-assisted account compromise.
Technical view
The supplied analytic is for the Identity Provider platform and describes correlation of MFA push fatigue or unusual consent grant attempts with call activity. SOC and detection engineering teams should validate whether identity-provider logs expose MFA push patterns and consent grant attempts, whether call activity evidence is available to analysts, and whether correlation logic can distinguish abnormal user pressure scenarios from legitimate authentication and application-consent workflows. No official ATT&CK detection logic or relationship context was supplied, so implementation should be based on local identity-provider telemetry and enterprise call-data availability.
Likely telemetry
- Identity provider MFA prompt, challenge, approval, denial, and failure events
- Identity provider consent grant and application authorization events
- User, device, application, timestamp, source network, and session context from identity logs
- Call activity metadata available to the organization, such as user-associated call timing or help desk/telephony records
- Incident response case notes or user reports associated with suspicious MFA or consent activity
Detection direction
- Validate correlation windows between MFA push fatigue or unusual consent grant attempts and relevant call activity; tune timing based on local user behavior and log latency.
- Baseline normal MFA and consent-grant behavior by user, role, application, and geography where available to reduce false positives.
- Review likely benign causes such as legitimate help desk support, application onboarding, device replacement, or repeated failed sign-in attempts before escalating.
- Confirm whether analysts can see both sides of the signal: identity-provider events and call activity. A gap in either source materially weakens this analytic.
- Create triage steps that rapidly verify with the user through a trusted channel rather than the potentially compromised or socially engineered session.
Mitigation priorities
- Ensure MFA and consent workflows are governed with clear policies, user education, and escalation paths for unexpected prompts or consent requests.
- Restrict and review user consent to applications where appropriate for the environment, especially for unusual or high-risk permission requests.
- Integrate identity-provider monitoring with incident response and help desk processes so suspected social engineering can be investigated quickly.
- Preserve identity and call-activity evidence needed for IR review, audit support, and post-incident lessons learned.
- Use tabletop or playbook validation to confirm SOC, IAM, and support teams know how to respond when MFA fatigue or consent anomalies coincide with voice contact.
Analyst notes and limits
This object is a detection analytic, not a technique description. Its main decision value is correlation: identity events alone may look like user friction, while call activity may indicate active social engineering. Treat this as a coverage validation item for IAM, SOC, and IR teams rather than proof of compromise by itself.
ATT&CK provides no official detection text beyond the analytic description, no tactics, no relationships, and only the Identity Provider platform. Local identity-provider logging, telephony/call metadata access, privacy constraints, and user-verification procedures determine whether this analytic is feasible and reliable.
Analytic 0686
Correlate MFA push fatigue or unusual consent grant attempts with call activity where adversaries may have socially engineered the user over voice.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6dac61eb4a7f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0686Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.