Over the past few weeks, we’ve seen a rapid increase in remote work. At the same time, our customers are seeing an increase in attacks on their cloud environments, especially from outside the US. Hackers are using familiar techniques to gain access to users’ cloud accounts – credential stuffing, account hijacking, and sending phishing emails. In this blog post, we look at an example of a failed attack that warned the security team about a security vulnerability.
This post is part of our CDR Case Files series, where we showcase real-world examples of customers, MSSPs, and IR partners using Obsidian for cloud detection and response.
A few days ago, we saw an Obsidian alert pop up in a customer’s account, warning that a user’s Microsoft 365 account likely has a compromised password, but the account wasn’t compromised because MFA blocked the login attempt. The alert recommended that the user’s password be reset.
Administrators typically don’t pay close attention to one-off login failures. In the past few weeks, with IT administrative workload spiking from first-time remote users, this issue would have been completely missed.
Obsidian detected the issue based on a combination of factors and generated an alert:
Obsidian continuously collects and normalizes data about accounts, privileges, activity, and configurations from monitored SaaS services. The platform enriches this data with location and user agent information, analyzes the data for suspicious patterns, and alerts the admin. All this happens automatically once services have been onboarded. This takes 5 minutes per service.
Acting on this alert, the security team investigated the incident by verifying that the user did in fact not try to login from China. The user was then directed to change the password and update all other accounts that might have used the same password for.
The security team went further. Realizing the value of MFA in protecting accounts from compromise, the security admin used Obsidian to check if there were any privileged accounts that didn’t use MFA.
Using the report from Obsidian, the customer was able to enforce MFA for all privileged accounts to improve the security posture.
Unfortunately, we are seeing attacks like these more frequently, as first-time remote workers adjust to the new work reality. Here are some tips that you can take immediately to reduce risk in your organization: