MFA disabled for Slack organization
Description
AlphaSOC detected that multi-factor authentication (MFA) was disabled for a Slack organization. MFA prevents unauthorized access by requiring users to provide multiple forms of verification. Disabling MFA removes this protection and increases the risk of account compromise.
Impact
Disabling MFA allows adversaries to access Slack accounts using only username and password credentials. This can lead to unauthorized access to sensitive communications, data exfiltration, and potential lateral movement through connected applications and services.
Severity
| Severity | Condition |
|---|---|
Informational | MFA disabled for Slack organization |
Investigation and Remediation
Review Slack audit logs to identify who disabled MFA and when. Check for any unauthorized changes to settings or suspicious user activity. Re-enable MFA immediately and ensure all users have MFA set up. Reset passwords for affected accounts and audit connected application permissions. Update security policies to require authorization for any future MFA changes.