T1621: Multi-Factor Authentication Request Generation

This technique matters because MFA can become a decision point for an attacker rather than a barrier. If an adversary already has a valid password, repeated push, SMS, phone, or SSPR-triggered MFA requests may pressure a user into approving access. For leaders, the issue is not whether MFA exists, but whether identity controls, user reporting paths, and SOC monitoring can distinguish legitimate sign-in friction from coercive request generation.

Executive priority

Prioritize this as an identity-resilience and incident-readiness control gap. MFA request abuse can affect Windows, Linux, macOS, IaaS, SaaS, Office Suite, and Identity Provider environments, so ownership often spans IAM, cloud, endpoint, help desk, and SOC teams. Executives should ask: are MFA and SSPR events centrally logged, are repeated prompts investigated quickly, are users trained to report unexpected prompts, and do account-use policies limit repeated authentication attempts? This is also relevant audit evidence for proving MFA is operationally monitored, not merely deployed.

Technical view

T1621 is a credential-access technique focused on generating MFA requests to bypass the second factor after credentials are obtained, or by abusing automatic push generation in self-service password reset configurations. ATT&CK provides no official detection text for this object, but a related detection strategy, DET0160, is listed. SOC and detection teams should validate coverage around anomalous MFA challenge volume, repeated denied or ignored prompts, eventual approval after multiple requests, suspicious SSPR-triggered MFA activity, and sign-in attempts against valid accounts across identity providers, SaaS, office suites, IaaS, and supported operating system contexts. Relationship context shows ATT&CK has associated this behavior with C0027 and groups including APT29, LAPSUS$, and Scattered Spider; use that as threat-intelligence prioritization context, not as proof of local exposure.

Likely telemetry

Identity provider authentication logs, including successful and failed sign-ins
MFA challenge generation, approval, denial, timeout, SMS, phone, and push notification events
Self-service password reset logs and related MFA prompt activity
Valid account usage records tied to unusual authentication sequences
Account lockout, failed login, and repeated authentication attempt events

Detection direction

Confirm that MFA request events are collected with enough detail to link user, device, source, application, result, timestamp, and request type.
Tune analytics for repeated MFA prompts over short periods, especially where multiple denials, timeouts, or ignored prompts precede an approval.
Correlate MFA prompt spikes with valid-account sign-in attempts and SSPR activity rather than treating MFA approvals as inherently benign.
Establish triage logic for expected false positives such as user lockouts, device migrations, travel, enrollment changes, or legitimate SSPR use.
Use DET0160 as the ATT&CK-linked detection-strategy reference, but validate locally because the supplied ATT&CK object does not include official detection guidance.

Mitigation priorities

Strengthen MFA implementation and configuration under M1032 so MFA is consistently required for critical systems and services and resistant to automatic request abuse where supported by local technology.
Apply M1036 account-use policies such as lockout mechanisms, restrictions on account use, and session/inactivity controls to reduce repeated authentication opportunities.
Review SSPR configurations because the ATT&CK description specifically notes abuse of automatic push notification generation when SSPR is configured.
Implement M1017 user training focused on recognizing unexpected MFA prompts, not approving them, and reporting them through a clear channel.
Make MFA prompt abuse part of incident response playbooks: reset credentials, review recent sign-ins, inspect SSPR activity, and verify whether access was granted after repeated prompts.

Analyst notes and limits

The key defensive lesson is that MFA deployment alone is not sufficient evidence of identity security. Coverage depends on prompt-level telemetry, correlation with sign-in and SSPR events, user reporting behavior, and enforceable account-use policies. This technique is especially material for organizations heavily dependent on SaaS, Office Suite, IaaS, and centralized identity providers.

The official ATT&CK object does not provide detection text, and the supplied relationship context includes only a named detection strategy without its detailed logic. Specific thresholds, MFA configuration options, and platform-native controls must be validated against the organization’s identity provider, SaaS, IaaS, and logging architecture. Group and campaign relationships indicate ATT&CK-documented use, not current activity or local targeting.

Official MITRE ATT&CK definition

Multi-Factor Authentication Request Generation

Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.

Adversaries in possession of credentials to Valid Accounts may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account. If adversaries lack credentials to victim accounts, they may also abuse automatic push notification generation when this option is configured for self-service password reset (SSPR).[1]

In some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”[2][3][4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

G0016: APT29

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]

G1015: Scattered Spider

Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]

G1004: LAPSUS$

LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]

C0027: C0027

C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.[1]

Relationship explorer

All related ATT&CK context

uses · Group G0016: APT29 Enterprise detects · Detection Strategy DET0160: Detection Strategy for Multi-Factor Authentication Request Generation (T1621) Enterprise mitigates · Mitigation M1032: Multi-factor Authentication Enterprise uses · Campaign C0027: C0027 Enterprise mitigates · Mitigation M1036: Account Use Policies Enterprise uses · Group G1015: Scattered Spider Enterprise uses · Group G1004: LAPSUS$ Enterprise mitigates · Mitigation M1017: User Training Enterprise

Mitigations

Mitigation direction

M1032: Multi-factor Authentication

Multi-Factor Authentication (MFA) enhances security by requiring users to provide at least two forms of verification to prove their identity before granting access. These factors typically include:

- *Something you know*: Passwords, PINs. - *Something you have*: Physical tokens, smartphone authenticator apps. - *Something you are*: Biometric data such as fingerprints, facial recognition, or retinal scans.

Implementing MFA across all critical systems and services ensures robust protection against account takeover and unauthorized access. This mitigation can be implemented through the following measures:

Identity and Access Management (IAM):

- Use IAM solutions like Azure Active Directory, Okta, or AWS IAM to enforce MFA policies for all user logins, especially for privileged roles. - Enable conditional access policies to enforce MFA for risky sign-ins (e.g., unfamiliar devices, geolocations). - Enable Conditional Access policies to only allow logins from trusted devices, such as those enrolled in Intune or joined via Hybrid/Entra.

Authentication Tools and Methods:

- Use authenticator applications such as Google Authenticator, Microsoft Authenticator, or Authy for time-based one-time passwords (TOTP). - Deploy hardware-based tokens like YubiKey, RSA SecurID, or smart cards for additional security. - Enforce biometric authentication for compatible devices and applications.

Secure Legacy Systems:

- Integrate MFA solutions with older systems using third-party tools like Duo Security or Thales SafeNet. - Enable RADIUS/NPS servers to facilitate MFA for VPNs, RDP, and other network logins.

Monitoring and Alerting:

- Use SIEM tools to monitor failed MFA attempts, login anomalies, or brute-force attempts against MFA systems. - Implement alerts for suspicious MFA activities, such as repeated failed codes or new device registrations.

Training and Policy Enforcement:

- Educate employees on the importance of MFA and secure authenticator usage. - Enforce policies that require MFA on all critical systems, especially for remote access, privileged accounts, and cloud applications.

M1036: Account Use Policies

Account Use Policies help mitigate unauthorized access by configuring and enforcing rules that govern how and when accounts can be used. These policies include enforcing account lockout mechanisms, restricting login times, and setting inactivity timeouts. Proper configuration of these policies reduces the risk of brute-force attacks, credential theft, and unauthorized access by limiting the opportunities for malicious actors to exploit accounts. This mitigation can be implemented through the following measures:

Account Lockout Policies:

- Implementation: Configure account lockout settings so that after a defined number of failed login attempts (e.g., 3-5 attempts), the account is locked for a specific time period (e.g., 15 minutes) or requires an administrator to unlock it. - Use Case: This prevents brute-force attacks by limiting how many incorrect password attempts can be made before the account is temporarily disabled, reducing the likelihood of an attacker successfully guessing a password.

- Implementation: Set up login time policies to restrict when users or groups can log into systems. For example, only allowing login during standard business hours (e.g., 8 AM to 6 PM) for non-administrative accounts. - Use Case: This prevents unauthorized access outside of approved working hours, where login attempts might be more suspicious or harder to monitor. For example, if an account that is only supposed to be active during the day logs in at 2 AM, it should raise an alert or be blocked.

Inactivity Timeout and Session Termination:

- Implementation: Enforce session timeouts after a period of inactivity (e.g., 10-15 minutes) and require users to re-authenticate if they wish to resume the session. - Use Case: This policy prevents attackers from hijacking active sessions left unattended. For example, if an employee walks away from their computer without locking it, an attacker with physical access to the system would be unable to exploit the session.

Password Aging Policies:

- Implementation: Enforce password aging rules, requiring users to change their passwords after a defined period (e.g., 90 days) and ensure passwords are not reused by maintaining a password history. - Use Case: This limits the risk of compromised passwords being used indefinitely. Regular password changes make it more difficult for attackers to reuse stolen credentials.

Account Expiration and Deactivation:

- Implementation: Configure user accounts, especially for temporary or contract workers, to automatically expire after a set date or event. Accounts that remain unused for a specific period should be deactivated automatically. - Use Case: This prevents dormant accounts from becoming an attack vector. For example, an attacker can exploit unused accounts if they are not properly monitored or deactivated.

**Tools for Implementation**:

- Group Policy Objects (GPOs) in Windows: To enforce account lockout thresholds, login time restrictions, session timeouts, and password policies. - Identity and Access Management (IAM) solutions: For centralized management of user accounts, session policies, and automated deactivation of accounts. - Security Information and Event Management (SIEM) platforms: To monitor and alert on unusual login activity, such as failed logins or out-of-hours access attempts. - Multi-Factor Authentication (MFA) Tools: To further enforce secure login attempts, preventing brute-force or credential stuffing attacks.

M1017: User Training

User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:

Create Comprehensive Training Programs:

- Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting. - Provide role-specific training for high-risk employees, such as helpdesk staff or executives.

Use Simulated Exercises:

- Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training. - Run social engineering drills to evaluate employee responses and reinforce protocols.

Leverage Gamification and Engagement:

- Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.

Incorporate Security Policies into Onboarding:

- Include cybersecurity training as part of the onboarding process for new employees. - Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.

Regular Refresher Courses:

- Update training materials to include emerging threats and techniques used by adversaries. - Ensure all employees complete periodic refresher courses to stay informed.

Emphasize Real-World Scenarios:

- Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering. - Discuss how specific employee actions can prevent or mitigate such attacks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: Apr 1, 2022, 02:15 UTC (UTC+00:00)
Modified: Oct 24, 2025, 17:49 UTC (UTC+00:00)
Raw hash: 13cc63dc98d939c6...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.2	Oct 24, 2025, 17:49 UTC (UTC+00:00)	Current bundle	`13cc63dc98d9…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Obsidian SSPR Abuse 2023

Noah Corradin and Shuyang Wang. (2023, August 1). Behind The Breach: Self-Service Password Reset (SSPR) Abuse in Azure AD. Retrieved March 28, 2024.
Open source URL
[2]
Russian 2FA Push Annoyance - Cimpanu

Catalin Cimpanu. (2021, December 9). Russian hackers bypass 2FA by annoying victims with repeated push notifications. Retrieved March 31, 2022.
Open source URL
[3]
MFA Fatigue Attacks - PortSwigger

Jessica Haworth. (2022, February 16). MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications. Retrieved March 31, 2022.
Open source URL
[4]
Suspected Russian Activity Targeting Government and Business Entities Around the Globe

Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock. (2021, December 6). Suspected Russian Activity Targeting Government and Business Entities Around the Globe. Retrieved April 15, 2022.
Open source URL
[5]
mitre-attack T1621
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams