Skip to content
Threat Feed
high advisory

Azure AD New MFA Method Registered For User

An adversary may register a new MFA method in Azure AD on a compromised account to maintain persistence and bypass existing security controls.

This analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an Azure AD account. This activity, sourced from Azure AD AuditLogs, identifies when a user registers new security information. Attackers who gain unauthorized access to an account may add their own MFA method to maintain persistence, even after the original owner resets their password. This allows attackers to bypass existing security controls, maintain long-term access, and potentially escalate their privileges within the environment. Defenders should investigate any unexpected MFA registrations, especially for privileged accounts.

Attack Chain

  1. The attacker gains initial access to an Azure AD account through password spraying, phishing, or other credential compromise techniques.
  2. The attacker logs into the compromised Azure AD account.
  3. The attacker navigates to the Azure AD security settings.
  4. The attacker initiates the registration of a new MFA method (e.g., Microsoft Authenticator app, phone number).
  5. Azure AD AuditLogs record the "User registered security info" event with operationType "Add".
  6. The attacker completes the MFA registration process.
  7. The attacker can now use the newly registered MFA method to authenticate to the compromised account, even if the original password is changed.
  8. The attacker uses the persistent access to perform further malicious activities, such as data exfiltration or privilege escalation.

Impact

Successful registration of a new MFA method by an attacker leads to persistent access to the compromised Azure AD account. This can lead to unauthorized access to sensitive data, lateral movement within the organization's cloud environment, and potential privilege escalation. The number of victims depends on the scope of the initial compromise, and the potential damage includes data breaches, financial loss, and reputational damage.

Recommendation

  • Deploy the Sigma rule Azure AD New MFA Method Registered For User to your SIEM and tune for your environment to detect suspicious MFA registrations.
  • Investigate any alerts generated by the Azure AD New MFA Method Registered For User rule, especially for privileged accounts.
  • Monitor Azure AD AuditLogs for "User registered security info" events with operationType "Add" to identify potentially malicious MFA registrations.
  • Implement strong password policies and MFA enrollment campaigns to reduce the risk of initial credential compromise.
  • Consider conditional access policies that restrict MFA registration to trusted devices and locations.

Detection coverage 2

Azure AD New MFA Method Registered For User

high

Detects the registration of a new MFA method for a user account in Azure AD, which could indicate malicious activity.

sigma tactics: defense_evasion, persistence techniques: T1556.006 sources: audit, azure_ad

Azure AD MFA Registration from Unusual Location

medium

Detects MFA registration from an unusual geographical location for a user.

sigma tactics: defense_evasion, persistence techniques: T1556.006 sources: audit, azure_ad

Detection queries are available on the platform. Get full rules →