<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Single-Factor Authentication - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/single-factor-authentication/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/single-factor-authentication/feed.xml" rel="self" type="application/rss+xml"/><item><title>Okta Successful Single Factor Authentication Attempt</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-okta-single-factor-auth/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-okta-single-factor-auth/</guid><description>Successful single-factor authentication events against the Okta Dashboard for accounts without Multi-Factor Authentication (MFA) enabled, potentially indicating account takeover attempts.</description><content:encoded><![CDATA[<p>This brief focuses on detecting successful single-factor authentication attempts against Okta dashboards. The detection logic identifies successful authentication events where &quot;Okta Verify&quot; is not used, suggesting a potential misconfiguration, policy violation, or account takeover attempt. The activity is detected by analyzing Okta logs for successful authentication events. An attacker exploiting this weakness could gain unauthorized access to accounts, leading to data breaches or further exploitation within the environment. The initial detection logic was published in Splunk ES Content as of April 15, 2026. This remains a relevant tactic for initial access and privilege escalation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a valid username/password through credential harvesting or previously compromised credentials. (T1586.003)</li>
<li>The attacker attempts to log into the Okta dashboard using the compromised credentials.</li>
<li>Okta processes the login attempt, and because MFA is either disabled or not enforced for the account, a single-factor authentication is successful.</li>
<li>The Okta logs record the successful authentication event with an eventType of either 'user.authentication.verify' or 'user.authentication.auth_via_mfa', and the targets field not containing &quot;Okta Verify.&quot;</li>
<li>The attacker gains access to the Okta dashboard and any applications accessible through Okta.</li>
<li>The attacker leverages their access to enumerate users, groups, and applications within the Okta environment.</li>
<li>The attacker escalates privileges by assigning themselves higher-level roles or adding themselves to privileged groups.</li>
<li>The attacker gains access to sensitive applications and data, potentially leading to data exfiltration or other malicious activities. (T1621)</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful single-factor authentication attack can result in unauthorized access to sensitive applications and data. This can lead to data breaches, financial loss, and reputational damage. The number of affected users and the extent of the damage depend on the privileges and access levels associated with the compromised account. Organizations using Okta for identity management are particularly vulnerable. The successful exploitation can bypass existing security controls and create an entry point for more significant attacks.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Okta Successful Single Factor Authentication</code> to your SIEM and tune for your environment to identify single-factor authentication events.</li>
<li>Investigate any alerts generated by the Sigma rule <code>Okta Successful Single Factor Authentication</code> to determine the legitimacy of the authentication attempt.</li>
<li>Enforce MFA for all users in the Okta environment to mitigate the risk of account takeover, referencing the Okta documentation on MFA implementation.</li>
<li>Review and enforce Okta MFA policies to prevent single-factor authentication (reference: Okta documentation).</li>
<li>Monitor Okta logs for suspicious activity, such as unusual login locations or access patterns, using the Splunk Add-on for Okta Identity Cloud (<a href="https://splunkbase.splunk.com/app/6553)">https://splunkbase.splunk.com/app/6553)</a>.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>okta</category><category>single-factor authentication</category><category>account takeover</category></item><item><title>Azure AD Successful Single-Factor Authentication</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-single-factor-auth/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-single-factor-auth/</guid><description>Successful single-factor authentication events against Azure Active Directory are identified using Azure SignInLogs data, which may indicate misconfiguration, policy violation, or potential account takeover leading to data breaches and privilege escalation.</description><content:encoded><![CDATA[<p>This analytic identifies successful single-factor authentication events against Azure Active Directory. It leverages Azure SignInLogs data, specifically focusing on events where single-factor authentication succeeded. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. An attacker gaining unauthorized access to the account, potentially leading to data breaches, privilege escalation, or further exploitation within the environment. Multi-factor authentication (MFA) is a crucial security control, and its absence can significantly increase the risk of account compromise. The analytic focuses on Azure AD events and is designed to detect deviations from expected authentication patterns.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: The attacker gains initial access to a valid username and password through phishing, credential stuffing, or purchasing stolen credentials.</li>
<li>Attempt Authentication: The attacker attempts to authenticate to Azure AD using the compromised credentials, bypassing MFA if it is not enabled or configured correctly.</li>
<li>Single-Factor Authentication Success: Azure AD logs a successful single-factor authentication event, indicating that the attacker has gained access without additional verification.</li>
<li>Reconnaissance: Once authenticated, the attacker performs reconnaissance activities within the Azure AD environment, gathering information about users, groups, and resources.</li>
<li>Privilege Escalation: The attacker attempts to escalate privileges by exploiting misconfigurations or vulnerabilities within Azure AD or related services.</li>
<li>Lateral Movement: The attacker moves laterally to other systems and applications within the organization's environment, leveraging the compromised account's access rights.</li>
<li>Data Exfiltration: The attacker accesses and exfiltrates sensitive data from cloud storage, databases, or applications accessible with the compromised credentials.</li>
<li>Persistence: The attacker establishes persistence by creating new user accounts, modifying existing ones, or deploying malicious applications within Azure AD.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful single-factor authentication attack can lead to significant damage, including unauthorized access to sensitive data, privilege escalation, and lateral movement within the organization's cloud environment. The absence of MFA makes accounts vulnerable to credential-based attacks. The impact could include data breaches, financial loss, and reputational damage. Many organizations now require this as part of compliance frameworks.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect successful single-factor authentication events in Azure AD logs (Azure Active Directory, <code>azure_monitor_aad</code>).</li>
<li>Review and enforce multi-factor authentication (MFA) policies for all users and applications in Azure AD to prevent unauthorized access (<a href="https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks">https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks</a>*).</li>
<li>Investigate any detected successful single-factor authentication events to determine if they are legitimate or indicative of malicious activity (Azure Active Directory, <code>azure_monitor_aad</code>).</li>
<li>Monitor user activity for signs of reconnaissance, privilege escalation, and lateral movement following a successful single-factor authentication event (Azure Active Directory, <code>azure_monitor_aad</code>).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azuread</category><category>single-factor authentication</category><category>account takeover</category></item></channel></rss>