1. Suspicious off-hours registration
An attacker who compromises an account registers a new MFA factor during off-hours, hoping it will go undetected, and plans to use it for persistent access.
2. Unusual device for MFA registration
A factor is registered from an unrecognized device that does not align with the user’s usual equipment, raising suspicion of unauthorized access.