Important Security Bulletin from SaaS Alerts

With the rising speculation of nation state-sponsored attacks against Microsoft by Russia, we’re asking that all MSPs be hyper vigilant at this time.

Beginning on March 7th, SaaS Alerts witnessed an increase of over 50% (above late February average activity) on event types which indicate password spray, bruteforce, and non-interactive sign-in attacks – and this trend has continued throughout the day today (March 8th) and to present.

Within the last 14 days, the SaaS Alerts’ engineering team increased the sensitivity of monitoring non-interactive sign-in activity. While this increase in data is modeled into these observations, the overall observed action increase has now been factored for this change.  These events cannot be conclusively attributed to any individual actor or group as the location distribution includes multiple countries with the US and China each making up 1/3 of the event origins and the remaining 1/3 spread across Russia, Brazil, and 5 additional international locales.

SaaS Alerts recommends that all Partners continue use of the “Respond” Rules to observe accounts which are suspected of being successfully compromised based on unusual activity taken upon login, whether interactive or non-interactive. Combined actions such as mailbox rule changes+mfa changes+significant data downloads taken in rapid sequence may indicate a compromised account.  Please remember that Token Hijacking can bypass MFA and Conditional Access.

SaaS Alert is aware that a limited number of M365 tenants are reporting Outside Approved Location tagging on some events that are false positives, and the engineering team is working to correct these limited incidents.

SaaS Alerts will continue to provide additional information as it becomes available.