Weak MFA Manually Activated and Utilized
Last updated
Last updated
Alerts on successful access via a newly registered SMS factor (that was not configured by the end user directly). A common account takeover pattern adversaries use involves leveraging social-engineering techniques to fool service desk representatives into changing a targeted account's MFA method to a factor that is controlled by the adversary, such as an SMS phone number.
Confirm with the end user that they had requested a change to their MFA and that this is a phone number that they recognize.
Evaluation period days: 7
Exclude good known IPs: false