Azure AD new verified domain added to tenant

azure

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1078-valid-accounts

Set up the azure integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an account adds a new domain to the tenant. This may indicate an attacker preparing a domain to later use in a trusted domain (also known as federated) attack.

Strategy

Monitor Azure AD audit logs for the following events:

  • Add unverified domain
  • Verify domain

Triage and Response

  1. Check if the user is a known administrator or if the action aligns with their normal activities.
  2. Review recent sign-ins (Azure AD Sign-in Logs) to see if the user’s authentication patterns are unusual (for example, logins from unexpected locations or multiple failed login attempts).
  3. Review if federation settings have been configured for the domain. If federated authentication is configured, ensure this an expected configuration. Federated domains are able to authenticate users on behalf of your Azure AD tenant.
  4. If the domain addition is unauthorized, remove it immediately.
  5. If the action was performed by a compromised account, disable the account and reset its credentials.