O365 MFA Disabled by User
Detection of Multi-Factor Authentication (MFA) being disabled for a user account in Office 365, potentially indicating malicious activity or an insider threat.
This analytic focuses on identifying instances where Multi-Factor Authentication (MFA) is disabled for a user within an Office 365 environment. Attackers may disable MFA to maintain persistent access to compromised accounts, bypassing a critical security control. The detection leverages Office 365 audit logs to specifically monitor "Disable Strong Authentication" events. The disabling of MFA can significantly increase the risk of unauthorized access and data breaches. This activity warrants immediate investigation to determine the legitimacy of the action, re-enable MFA if necessary, and assess the account for other suspicious behavior.
Attack Chain
- An attacker gains initial access to an Office 365 account through compromised credentials, phishing, or other means (not directly covered in the source).
- The attacker authenticates to the Office 365 environment.
- The attacker navigates to the user management section within the Office 365 admin portal, or uses PowerShell with appropriate privileges.
- The attacker locates the target user account for which they want to disable MFA.
- The attacker initiates the "Disable Strong Authentication" action for the target user. This generates an O365 management activity event.
- The O365 logs record the "Disable Strong Authentication" event, capturing details such as the actor (UserId), target user, and timestamp.
- The attacker leverages the now-unprotected account to access sensitive data, send malicious emails, or perform other unauthorized actions.
- The attacker attempts to maintain persistence by establishing other backdoors.
Impact
Disabling MFA on an Office 365 account significantly increases the risk of unauthorized access. Attackers can leverage compromised accounts to gain access to sensitive data, distribute malware, or perform other malicious activities. If successful, this can lead to data breaches, financial losses, and reputational damage. The impact can range from individual account compromise to widespread organizational damage, depending on the attacker's objectives and the compromised account's privileges.
Recommendation
- Deploy the Sigma rule
O365 Disable MFA Detectedto your SIEM to detect instances of MFA being disabled in your environment. - Investigate any triggered alerts from the
O365 Disable MFA Detectedrule immediately to determine the legitimacy of the action and assess the affected account for suspicious behavior. - Implement the
O365 Disable MFA Filtermacro to filter out legitimate MFA disabling events based on known service accounts or administrator actions, reducing false positives. - Enable detailed auditing of Office 365 management activity to ensure comprehensive logging for detection purposes.
- Review and enforce strong password policies and educate users on phishing and other social engineering techniques to prevent initial account compromise.
- Consider implementing conditional access policies to restrict access based on location, device, or other factors to further mitigate the risk of unauthorized access.
Detection coverage 2
O365 Disable MFA Detected
highDetects when multi-factor authentication is disabled for a user in Office 365.
O365 MFA Disabled by Non-Admin User
mediumDetects when multi-factor authentication is disabled by a non-admin user in Office 365, which may indicate malicious activity.
Detection queries are available on the platform. Get full rules →