Azure AD new verified domain added to tenant

azure

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1078-valid-accounts

Set up the azure integration.

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detect when an account adds a new domain to the tenant. This may indicate an attacker preparing a domain to later use in a trusted domain (also known as federated) attack.

Strategy

Monitor Azure AD audit logs for the following events:

  • Add unverified domain
  • Verify domain

Triage and Response

  1. Check if the user is a known administrator or if the action aligns with their normal activities.
  2. Review recent sign-ins (Azure AD Sign-in Logs) to see if the user’s authentication patterns are unusual (for example, logins from unexpected locations or multiple failed login attempts).
  3. Review if federation settings have been configured for the domain. If federated authentication is configured, ensure this an expected configuration. Federated domains are able to authenticate users on behalf of your Azure AD tenant.
  4. If the domain addition is unauthorized, remove it immediately.
  5. If the action was performed by a compromised account, disable the account and reset its credentials.