Weak MFA Manually Activated and Utilized

Alerts on successful access via a newly registered SMS factor (that was not configured by the end user directly). A common account takeover pattern adversaries use involves leveraging social-engineering techniques to fool service desk representatives into changing a targeted account's MFA method to a factor that is controlled by the adversary, such as an SMS phone number.

Recommended Actions

Confirm with the end user that they had requested a change to their MFA and that this is a phone number that they recognize.

Default Check Settings

Evaluation period days: 7

Exclude good known IPs: false

Compatibility

Okta

Entra ID

PreviousUsers With New Email Forward Rules NextTenant Settings

Last updated 3 months ago