# Weak MFA Manually Activated and Utilized

Alerts on successful access via a newly registered SMS factor (that was not configured by the end user directly). A common account takeover pattern adversaries use involves leveraging social-engineering techniques to fool service desk representatives into changing a targeted account's MFA method to a factor that is controlled by the adversary, such as an SMS phone number.

#### **Recommended Actions**

Confirm with the end user that they had requested a change to their MFA and that this is a phone number that they recognize.

#### **Default Check Settings**

Evaluation period days: 7

Exclude good known IPs: false

#### **Compatibility**

[Okta](https://docs.oort.io/integrations/okta-data-integration)

[Microsoft Entra ID](https://docs.oort.io/integrations/azure-active-directory-integration)

<figure><img src="https://582105988-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqPSBzsjxd7KYg9DNVZ4l%2Fuploads%2FWjlTGr8uS9RDlVMHTWY3%2FScreenshot%202025-03-27%20at%201.48.10%E2%80%AFPM.png?alt=media&#x26;token=d26f7d4d-e18b-4e73-b86e-0dd10d6c76e6" alt=""><figcaption></figcaption></figure>