Security Advisories
3 minutes

CDR Case Files: Detecting Compromised Passwords

Over the past few weeks, we’ve seen a rapid increase in remote work. At the same time, our customers are seeing an increase in attacks on their cloud environments, especially from outside the US. Hackers are using familiar techniques to gain access to users’ cloud accounts – credential stuffing, account hijacking, and sending phishing emails. In this blog post, we look at an example of a failed attack that warned the security team about a security vulnerability.

This post is part of our CDR Case Files series, where we showcase real-world examples of customers, MSSPs, and IR partners using Obsidian for cloud detection and response.

What Happened?

A few days ago, we saw an Obsidian alert pop up in a customer’s account, warning that a user’s Microsoft 365 account likely has a compromised password, but the account wasn’t compromised because MFA blocked the login attempt. The alert recommended that the user’s password be reset.

Compromised password allert

How Did Obsidian Detect This?

Administrators typically don’t pay close attention to one-off login failures. In the past few weeks, with IT administrative workload spiking from first-time remote users, this issue would have been completely missed.

Logins Map

Obsidian detected the issue based on a combination of factors and generated an alert:

  1. Login attempt from a new, unfamiliar country that hasn’t been normally used for successful activity
  2. Valid credentials used to login, but MFA blocked access
Compromised password alert details

Obsidian continuously collects and normalizes data about accounts, privileges, activity, and configurations from monitored SaaS services. The platform enriches this data with location and user agent information, analyzes the data for suspicious patterns, and alerts the admin. All this happens automatically once services have been onboarded. This takes 5 minutes per service.

How Did The Customer Respond?

Acting on this alert, the security team investigated the incident by verifying that the user did in fact not try to login from China. The user was then directed to change the password and update all other accounts that might have used the same password for.

The security team went further. Realizing the value of MFA in protecting accounts from compromise, the security admin used Obsidian to check if there were any privileged accounts that didn’t use MFA.

Using the report from Obsidian, the customer was able to enforce MFA for all privileged accounts to improve the security posture.

How Can You Protect Your Company’s Cloud Accounts?

Unfortunately, we are seeing attacks like these more frequently, as first-time remote workers adjust to the new work reality. Here are some tips that you can take immediately to reduce risk in your organization:

  1. Enable Multi-factor Authentication (MFA): Do this for privileged accounts without fail, though we recommend implementing MFA across the board in the organization
  2. Investigate MFA-related Login Failures: Look for unsuccessful logins that failed due to MFA failures, especially from unlikely locations
  3. Remove Unused Accounts: Reduce the attack surface by eliminating accounts that aren’t being used

If you’d like to find out how Obsidian can help you protect your SaaS environments, drop us a note or request a demo.