The detection rule 'O365 New MFA Method Registered' identifies the registration of a new Multi-Factor Authentication (MFA) method for a user's Office 365 account. By utilizing O365 audit logs, the rule captures updates made to MFA configurations that may suggest unauthorized access, where an attacker could be attempting to secure their foothold on a compromised account. Such changes are critical to monitor because they can facilitate attackers in bypassing existing security measures, consolidating their access, and potentially escalating privileges or accessing sensitive information. Immediate verification and remediation actions are crucial to protect the affected account from further exploitation. The corresponding search query leverages specific fields in the O365 management activity log to evaluate changes in the ‘StrongAuthenticationMethod’ property, comparing the old and new values to trigger alerts on suspicious modifications.