Box MFA disabled followed by unrecognized device logins

This rule is part of a beta feature. To learn more, contact Support.
box

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1078-valid-accounts

Goal

Detects scenarios where a user disables Multi-Factor Authentication (MFA) and then attempts to log in from an unrecognized device, potentially indicating account compromise.

Strategy

Monitor enterprise events for MFA disable actions followed closely by login attempts from unrecognized devices, using {{@source.login}} to track the affected user.

Triage and Response

  1. Review the user {{@source.login}} who disabled MFA and attempted access from an unrecognized device.
  2. Investigate whether the login was expected by checking recent user behavior.
  3. If suspicious, force a password reset, and restrict account access.