Lateral movement

Azure AD Suspicious Factor Registration

Azure AD Suspicious Factor Registration

Detection overview

The "Azure AD Suspicious Factor Registration" detection alerts security teams to the registration of a potentially unauthorized authentication factor, such as multi-factor authentication (MFA), to an account in Azure Active Directory. This detection indicates the possibility of an attacker attempting to retain persistent access by adding a new authentication method, which could bypass conventional security controls.

Triggers

  • A suspicious new authentication factor has been registered to an account which may provide an attacker with persistent access to your tenant.

Possible Root Causes

  • An attacker may have compromised an account and registered a new authentication method (such as an MFA method) in the environment to maintain continuous access. By registering a new authentication method, the attacker’s ongoing access may be extended beyond the method of initial compromise.
  • A legitimate user may have added a new authentication method under circumstances that were unexpected for the environment.
  • Note: The specific authentication method itself may be typical for the environment.

Business Impact

  • An attacker who registers an authentication factor could bypass policies related to login requirements and access, enabling persistent access to cloud and potentially network data.

Steps to Verify

  • Review whether the location of the registration aligns with the user’s expected activity.
  • Consult the available logs to determine if the activity prior to the registration is as expected. • Reach out to the account owner to confirm that they registered the factor.
Azure AD Suspicious Factor Registration

Possible root causes

Malicious Detection

Attackers who have gained control of an account may add new authentication factors, such as a secondary MFA method, to maintain persistent access to the environment. This additional factor serves as an alternative means of entry, allowing the attacker to circumvent account restrictions or remain undetected despite changes to the primary account credentials.

Benign Detection

Legitimate users may sometimes register a new authentication method, such as updating or adding an MFA device. This can occur when a user changes devices or adjusts their authentication preferences, which could appear suspicious if it deviates from typical registration patterns within the organization.

Azure AD Suspicious Factor Registration

Example scenarios

1. Suspicious off-hours registration

An attacker who compromises an account registers a new MFA factor during off-hours, hoping it will go undetected, and plans to use it for persistent access.

2. Unusual device for MFA registration

A factor is registered from an unrecognized device that does not align with the user’s usual equipment, raising suspicion of unauthorized access.

Azure AD Suspicious Factor Registration

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Increased risk of unauthorized access

Attackers could bypass access restrictions, maintaining undetected access with the use of an unauthorized authentication factor.

Potential data exposure

Persistent access to Azure AD through a secondary factor may allow attackers to exfiltrate or manipulate sensitive data.

Regulatory compliance risk

Unauthorized access due to a fraudulent authentication factor could expose the organization to compliance violations by enabling access to restricted systems.

Azure AD Suspicious Factor Registration

Steps to investigate

Azure AD Suspicious Factor Registration

MITRE ATT&CK techniques covered

FAQs

What makes an authentication factor suspicious?

Unusual timing, location, or device type for the factor registration can indicate a suspicious factor.

What should I do if this detection is triggered?

First, verify the registration details with the account owner and review associated activity logs for further anomalies.

How can I confirm if the registration was legitimate?

Reviewing the registration’s origin, time, and associated device, along with confirming with the user, can help determine legitimacy.

What is the risk of not investigating this detection?

Failing to investigate could allow attackers to retain undetected access, leading to potential data breaches or system disruptions.

Is it advisable to disable the newly registered factor immediately?

Not until verifying legitimacy, as disabling legitimate user access without verification could disrupt business activities.

Why is adding an MFA method a potential risk?

It may allow attackers who have compromised an account to maintain access without detection by leveraging a secondary factor.

Is the account necessarily compromised if this is triggered?

Not always; sometimes a legitimate user action may trigger this detection, but it’s critical to investigate thoroughly.

Could a legitimate IT action trigger this?

Yes, in cases where IT registers factors on behalf of users, though this should follow strict change control procedures.

Can attackers add factors through phishing?

Yes, attackers often use phishing to acquire initial access, which they can then expand by adding authentication factors.

Are there other detections linked to account persistence?

Other detections include suspicious sign-ons, unusual device registrations, and MFA failures that might accompany this behavior.