These rules trigger an alert when the MFA methods for an administrator with high (tier0) privileges are changed.

Rationale

Changing MFA methods can certainly be a legitimate action, but it's always worth validating this further, especially for users with high-level admin rights.

It can also be an indicator of hacking, as it is a commonly used method for attackers to maintain unnoticed access to a stolen account after initial compromise.

This detection is set up in two rules: RULE-1148 and RULE-1149.

The reason this detection is offered through multiple rules is because the circumstance must be detected in different ways depending on the use of Privileged Identity Management (PIM) in the Microsoft Tenant.

Follow-up

Perform the following steps to properly respond to this detection:

1. Determine whether the administrator in question consciously changed the MFA method themselves
   
   1. If yes: close the incident as resolved
   2. If not: disable the account, revoke sessions, and start a follow-up investigation on the account that granted the permissions—it may be compromised.

Attic FIX

A fix will be provided to easily disable the account after you have confirmed that malicious behavior is involved. For the follow-up investigation, you can contact us—Attic can support you via our IR Punch Card.

More information

1. https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide