Failed MFA Challenge

Medium Resolved

ALR-00278 · 2026-04-09T01:33:51Z

Description

Multiple failed MFA challenges for user 'p.thomas' — 12 push notifications in 3 minutes suggesting MFA fatigue attack. Attack Surface Scanner locked account.

Alert Metadata

Alert ID: ALR-00278
Timestamp: 2026-04-09T01:33:51Z
Severity: Medium
Status: Resolved
Detection Source: Attack Surface Scanner
Assigned Analyst: Emma Richardson

Endpoint Information

Hostname: WS-LAP-011
User Account: p.thomas
Source IP: 194.234.62.159
Destination IP: 10.2.144.106
Origin Country: NG Nigeria

MITRE ATT&CK Mapping

Tactic: Credential Access
Technique: T1621
Reference: attack.mitre.org/techniques/T1621

Investigation Timeline

01:33:51 Event ingested by SOC365 Engine

01:33:53 EmilyAI triage started — correlation enrichment

01:34:03 EmilyAI confidence: 85% — escalated to human analyst

01:34:13 Alert assigned to analyst: Emma Richardson

01:35:20 Investigation started — querying SIEM and threat intelligence

01:42:23 Containment action taken — endpoint isolated

01:45:35 Alert resolved — remediation complete

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00387	3h ago	Failed MFA Challenge	Low	Open	SRV-WEB-01
ALR-00173	4h ago	Privilege Escalation Attempt	Medium	Resolved	WS-LAP-011
ALR-00020	5h ago	Failed MFA Challenge	Low	Resolved	SRV-FILE-01
ALR-00061	10h ago	Phishing Email Blocked	Low	Investigating	WS-LAP-011
ALR-00193	13h ago	Failed MFA Challenge	Informational	Investigating	FW-EDGE-01