---
title: Box MFA disabled followed by unrecognized device logins
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Box MFA disabled followed by
  unrecognized device logins
---

# Box MFA disabled followed by unrecognized device logins

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1078-valid-accounts](https://attack.mitre.org/techniques/T1078) 
## Goal{% #goal %}

Detects scenarios where a user disables Multi-Factor Authentication (MFA) and then attempts to log in from an unrecognized device, potentially indicating account compromise.

## Strategy{% #strategy %}

Monitor enterprise events for MFA disable actions followed closely by login attempts from unrecognized devices, using `{{@source.login}}` to track the affected user.

## Triage and Response{% #triage-and-response %}

1. Review the user `{{@source.login}}` who disabled MFA and attempted access from an unrecognized device.
1. Investigate whether the login was expected by checking recent user behavior.
1. If suspicious, force a password reset, and restrict account access.