Azure AD new verified domain added to tenant

azure

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1078-valid-accounts

Set up the azure integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an account adds a new domain to the tenant. This may indicate an attacker preparing a domain to later use in a trusted domain (also known as federated) attack.

Strategy

Monitor Azure AD audit logs for the following events:

  • Add unverified domain
  • Verify domain

Triage and Response

  1. Check if the user is a known administrator or if the action aligns with their normal activities.
  2. Review recent sign-ins (Azure AD Sign-in Logs) to see if the user’s authentication patterns are unusual (for example, logins from unexpected locations or multiple failed login attempts).
  3. Review if federation settings have been configured for the domain. If federated authentication is configured, ensure this an expected configuration. Federated domains are able to authenticate users on behalf of your Azure AD tenant.
  4. If the domain addition is unauthorized, remove it immediately.
  5. If the action was performed by a compromised account, disable the account and reset its credentials.