I've noticed that two users have received Microsoft multi-factor authentication (MFA) SMS codes recently, even though they weren't trying to log in at the time the texts were received. The codes came from the same authentic number used for legitimate logins. After the first incident, I had them change their passwords and signed them out of all sessions through the admin portal, but one of them received another code last night. I've checked Entra's sign-in logs, audit logs, and MFA activity, but I haven't found anything relevant to the times the codes were sent. I also tested another account to see if a log entry would show up when an incorrect MFA code is entered, but nothing appeared. Could this be due to SMS spoofing, or is there another place I should investigate?
5 Answers
It sounds like a possible issue with accounts that have left apps open, which might be prompting MFA requests even when they're not in use. Make sure the users are logging out of applications when they're done. In our case, we don't use SMS for MFA but usually spot these attempts in the logs. You might not see the same info for SMS.
Definitely check for those leftover sessions, especially if they might initiate MFA unexpectedly.
Recently, I had a similar issue and compiled all the sign-in logs into an Excel file to analyze them. I used a tool to generate graphs and statistics, which helped identify the countries the login attempts were originating from and pointed out some areas for policy adjustments. It might be worth trying that approach!
That could really help clarify what's going on. I'll give that a shot!
Interesting approach! I might steal that idea for my own audits.
I recommend turning off SMS and requiring an authenticator app instead. SMS can be weak, and a cloned phone could lead to issues. Look into the devices in the sign-in logs to track down where the requests are coming from.
For sure! I'll implement that as part of our MFA policy.
Absolutely, SMS is not safe for MFA these days.
Entra's logging can be frustratingly inconsistent, so don't feel bad if you're not finding records for these MFA requests. We've had similar issues with password spray attacks where the correct password prompts MFA, but then the logs don't show it clearly.
That sheds some light on things. Good to know I'm not the only one dealing with this!
Exactly! It's maddening, but you’re on the right track by double-checking everything.
One thing to check is the registered devices and numbers for authentication on each account. It’s possible someone else's number is linked to these accounts inadvertently. Additionally, consider removing SMS as an authentication method altogether.
Great idea! I'll verify those settings right away. Thanks!
I agree, disabling SMS could prevent potential security issues.
That makes sense! I'll remind them to log out after using any relevant applications.