MDO should detect messages that contain MFA Number Match codes

[gtattersall]

MFA Number Match should produce detailed logs that will facilitate an integration with MS Defender for Office (MDO) to detect when a user is messaged their own account's MFA Number Match value via Teams or Email. This would detect when a user's credentials are compromised (e.g., password spray) and then an attacker tried to social engineer the user into accepting the MFA Number Match challenge.

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 5d46abb2-6ad9-e86e-8808-b69ca11922d8
• Version Independent ID: c4ccd9d6-13c7-6150-6a44-241bdf9b0982
• Content: How number matching works in multifactor authentication (MFA) push notifications for Microsoft Authenticator - Microsoft Entra
• Content Source: articles/active-directory/authentication/how-to-mfa-number-match.md
• Service: active-directory
• Sub-service: authentication
• GitHub Login: @Justinha
• Microsoft Alias: justinha

[Naveenommi-MSFT]

@gtattersall Thanks for your feedback! We will investigate and update as appropriate.

[SaibabaBalapur-MSFT]

hi @gtattersall as per document it does not seem that MS Defender for Office currently detects messages that contain MFA Number Match codes. However, MFA Number Match does produce detailed logs that can be used to detect when a user is messaged their own account's MFA Number Match value via Teams or Email. These logs can be used to integrate with other security solutions, including MS Defender for Office, to detect when a user's credentials are compromised, and an attacker tries to social engineer the user into accepting the MFA Number Match challenge. For more information on how to use MFA Number Match and its logging capabilities, Further question, you can leverage our Q&A forum by posting your issue there so our community, and MVPs can further assist you in troubleshooting this issue or finding potential workarounds. [Teams Q&A forum] (https://docs.microsoft.com/en-us/answers/topics/46488/office-teams-windows-itpro.html) for technical questions about the configuration and administration of Microsoft Teams on Windows. [Microsoft Teams Community forum] (https://answers.microsoft.com/en-us/msteams/forum?sort=LastReplyDate&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedAfter=&postedBefore=&threadType=All&isFilterExpanded=false&page=1

[SaibabaBalapur-MSFT]

@gtattersall We are going to close this thread as resolved but if there are any further questions regarding the documentation, please tag me in your reply and we will be happy to continue the conversation.