how easy
How easy is to identify a «malicious» phone of an attacker configured as MFA on user authentication?
I have seen multiple queries that can help such as identify by country code, suspicious format-number and others.
Although are good ones, I have not seen these option as a final one due to the amount of false positives. Therefore, with my fresh head after holidays, I decided to create a query to detect differences between the phone provider in the EntraID user profile and the phone used to authenticate via MFA.
Of course, it has an important requirement which is have your EntraID updated with the Phone field filled. However, the result of that effort, I think make sense not just for the security aspect, if not also to detect cases where the EntraID User profile is not updated with it current Phone number.
CloudAppEvents
| where ActionType == "Update user." and RawEventData contains "StrongAuthentication"
| extend target = RawEventData.ObjectId
| mvexpand ModifiedProperties = parse_json(RawEventData.ModifiedProperties)
| where ModifiedProperties matches regex @"\+\d{1,3}\s*\d{9,}"
| mvexpand ModifiedProperties = parse_json(ModifiedProperties)
| where ModifiedProperties contains "NewValue" and ModifiedProperties matches regex @"\+\d{1,3}\s*\d{9,}"
| extend PhoneNumber = extract(@"\+\d{1,3}\s*\d{9,}", 0, tostring(ModifiedProperties))
// joining IdentityInfo table to get Phones provided on user profile
| join kind=inner (IdentityInfo) on $left.AccountDisplayName == $right.AccountDisplayName
// adding the condition to show me the different Phone numbers
| where Phone != PhoneNumber
| summarize by AccountDisplayName,Phone, PhoneNumber, Country