From gbhackers.com
It is difficult to secure cloud accounts from threat actors who exploit multi-factor authentication (MFA) settings.
Threat actors usually alter compromised users’ MFA attributes by bypassing the requirements, disabling MFA for others, or enrolling rogue devices in the system.
They do so stealthily, mirroring helpdesk operations and making it hard to notice the noise of directory audit logs.
To protect themselves against this insidious attack vector on clouds, organizations need to strengthen monitoring and controls around MFA configuration changes.
Cybersecurity researchers at Microsoft recently detailed using the KQL (Kusto Query Language) to hunt for MFA manipulation.