Thank you for your interest in Obsidian! Please enter your information in the form and we will contact you shortly to schedule a demo.
In today’s digital-first world, individuals are bringing B2C behaviors into the B2B sphere. Just as someone might casually share personal login details with platforms like Turbotax for tax filing, many are now sharing corporate credentials with third-party providers for various personal and professional tasks.
A recent investigation by Obsidian’s Threat Research team has shed light on the risks associated with this trend. They detected a critical risk associated with Argyle–a service that facilitates employment/income verification and payroll management by integrating with HR Management (HRM) systems through credential flow.
Argyle’s service presents a significant risk to organizations due to its insecure integration via credential flow. If compromised, this integration provides an uncontrolled pathway for accessing SaaS applications and corporate data.
From Obsidian’s investigation thus far, this risk affects over 800 G2000 companies and numerous others through their HRM systems and Identity Providers (IdPs).
Obsidian’s Threat Research team observed the following suspicious sequence of events across multiple tenants:
This activity resembles common identity threats, such as gaining initial access through an access broker or carrying out complete payroll theft following an account takeover.
The suspicious activity illustrated above was traced back to Argyle. Below, we have outlined how this activity unfolded, starting with the employee entering their corporate credentials into a third-party site, through to Argyle gaining access to both the IdP and HRM service.
Although there hasn’t been any observed exploitation, the integration facilitated by Argyle raises various security concerns. These include:
A variety of HRM services and IdP solutions are implicated by this risk due to their integration with Argyle.
Services: | |||
ADP | Alliance HCM MyPay | BambooHR | Dayforce HCM |
Doculivery | Employee Express | Greenshades | Gusto |
Heartland | Homebase | Infor | Insperity |
iSolved | Justworks | krowD | Money Network |
MyADP | MyEPP | myPay | Namely |
Netchex | Netspend | Oasis Paychex HR | OnPay |
Oracle Cloud | Oracle PeopleSoft | Paperless Pay | PaperlessEmployee |
Paychex Flex | Paycom | Paycor | Paylocity |
PrimePay | PrismHR | Proliant | QuickBooks |
SAP SuccessFactors | Square | SumTotal Systems | SurePayroll |
TEAM Software | Toast | TriNet | UKG (UltiPro) |
UKG Ready | Workday | Workforce Now | Zenefits |
IdPs:
Unlike the classic identity threat via account takeover, individuals willingly engage in these processes, making self-reporting unlikely. Even strong MFA based on WebAuthN may fall short if weaker methods like SMS or TOTP are allowed to be downgraded. Therefore, continuous monitoring of corporate identity threats becomes paramount to detect and mitigate risks.
To enhance security and mitigate risks, we recommend taking the following actions:
#1. Deploy Obsidian’s new detection rule:
#2. Review audit logs:
#3. Identify and take action for exposed accounts:
There’s no denying the value provided by tools that automate traditionally manual processes like employment and income verification. However, as this scenario highlights, services should be carefully assessed to ensure they do not compromise your organization’s security.
OAuth is built to address these requirements: authorizing access to resources owned by a user without exposing credentials to third parties.
In addition, a secure integration should follow the principle of least privilege, requesting only necessary information for validation, such as employment or income status, without accessing sensitive data like pay slips or W2 forms. In the HRM systems we inspected, the scope options available make it challenging to fulfill this requirement because of the coarse granularity of resources. In some systems, the only options are just read/write on all resources.
Identified IP addresses:
Most incoming traffic originates from proxy providers. Notable IP addresses observed over the past month include:
User agent strings:
The user agent string linked to the activity may vary over time but frequently repeats: