Important Security Bulletin from SaaS Alerts
With the rising speculation of nation state-sponsored attacks against Microsoft by Russia, we’re asking that all MSPs be hyper vigilant at this time.
Beginning on March 7th, SaaS Alerts witnessed an increase of over 50% (above late February average activity) on event types which indicate password spray, bruteforce, and non-interactive sign-in attacks – and this trend has continued throughout the day today (March 8th) and to present.
Within the last 14 days, the SaaS Alerts’ engineering team increased the sensitivity of monitoring non-interactive sign-in activity. While this increase in data is modeled into these observations, the overall observed action increase has now been factored for this change. These events cannot be conclusively attributed to any individual actor or group as the location distribution includes multiple countries with the US and China each making up 1/3 of the event origins and the remaining 1/3 spread across Russia, Brazil, and 5 additional international locales.
SaaS Alerts recommends that all Partners continue use of the “Respond” Rules to observe accounts which are suspected of being successfully compromised based on unusual activity taken upon login, whether interactive or non-interactive. Combined actions such as mailbox rule changes+mfa changes+significant data downloads taken in rapid sequence may indicate a compromised account. Please remember that Token Hijacking can bypass MFA and Conditional Access.
SaaS Alert is aware that a limited number of M365 tenants are reporting Outside Approved Location tagging on some events that are false positives, and the engineering team is working to correct these limited incidents.
SaaS Alerts will continue to provide additional information as it becomes available.
Related posts

Microsoft 365 Price Increase: Right-sizing protection and cost for your customers
“Win on the transition” is a term I heard for the first time several years ago. I have written about…

SaaS Alerts Adds Microsoft Defender for Endpoint to its SaaS Security Platform for MSPs
Integration provides a single pane to monitor the Microsoft 365 application suite and EDR solution. ALLENTOWN, PA — August 6, 2024 — SaaS Alerts, a cybersecurity company delivering an automated software-as-a-service (SaaS) security platform that enables managed service providers (MSPs) to detect and stop unauthorized activity in client SaaS applications, today announced the integration of […]

Unify is the first and only technology to protect SaaS Applications while enabling MSPs to answer a growing need and leverage the shift to SaaS applications.