Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1556-modify-authentication-process

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

This detection identifies when authentication requirements in a Zoom account are weakened or disabled.

Strategy

This detection monitors Zoom operation logs for changes to critical authentication settings. The rule looks for account update events where security controls have been changed from enabled to disabled states, including disabling password requirements, allowing password reuse, turning off two-factor authentication, or disabling one-time passcode authentication. The detection focuses on @evt.category of “Account” with @evt.name values of “Update” or “Batch Update” containing specific message patterns that indicate security controls being turned off. Events are grouped by the email address of the user making the changes (@usr.email).

Weakening authentication settings is concerning as it reduces the security posture of the organization’s Zoom environment, potentially making it easier for unauthorized users to access accounts through credential attacks or account takeovers.

Triage & Response

• Verify which specific authentication requirement was changed and assess the security impact.
• Identify which administrator account ({{@usr.email}}) made the change and confirm this was the legitimate account owner.
• Check for other recent administrative actions by the same user to establish a pattern of behavior.
• Look for concurrent security changes across the Zoom environment that might indicate a broader attack.
• Evaluate whether multiple authentication requirements were changed in rapid succession.
• Restore proper authentication requirements if the change was unauthorized.
• Consider temporarily restricting permissions of the administrator account pending investigation.