Many recent, high-profile attacks have involved MFA bypass tactics such as session hijacking or MFA Fatigue. Attackers wanting to maintain a foothold in a compromised account will often bypass or manipulate MFA then socially engineer their way into registering a new MFA device.
To help detect and combat these tactics, we have added new signals to our Account Takeover Protection solution. Abnormal can now detect suspicious device registration that could indicate an attacker has manipulated the account and may be attempting to establish persistence.