Important Security Bulletin from SaaS Alerts
With the rising speculation of nation state-sponsored attacks against Microsoft by Russia, we’re asking that all MSPs be hyper vigilant at this time.
Beginning on March 7th, SaaS Alerts witnessed an increase of over 50% (above late February average activity) on event types which indicate password spray, bruteforce, and non-interactive sign-in attacks – and this trend has continued throughout the day today (March 8th) and to present.
Within the last 14 days, the SaaS Alerts’ engineering team increased the sensitivity of monitoring non-interactive sign-in activity. While this increase in data is modeled into these observations, the overall observed action increase has now been factored for this change. These events cannot be conclusively attributed to any individual actor or group as the location distribution includes multiple countries with the US and China each making up 1/3 of the event origins and the remaining 1/3 spread across Russia, Brazil, and 5 additional international locales.
SaaS Alerts recommends that all Partners continue use of the “Respond” Rules to observe accounts which are suspected of being successfully compromised based on unusual activity taken upon login, whether interactive or non-interactive. Combined actions such as mailbox rule changes+mfa changes+significant data downloads taken in rapid sequence may indicate a compromised account. Please remember that Token Hijacking can bypass MFA and Conditional Access.
SaaS Alert is aware that a limited number of M365 tenants are reporting Outside Approved Location tagging on some events that are false positives, and the engineering team is working to correct these limited incidents.
SaaS Alerts will continue to provide additional information as it becomes available.
Related posts
Business email compromise (BEC) attacks involve manipulating or impersonating email accounts to deceive employees, often leading to financial fraud, breaches or data loss. According to Verizon, BEC attacks doubled last year and comprised nearly 60% of all social engineering incidents. To deal with this growing frequency of BEC attacks, MSPs need advanced strategies such as […]
MSP Resilient Response (MRR) Program gives MSPs free-use of SaaS Alerts through October 1st to help them protect customers while generating incremental revenue during difficult economic climate
Mr. Sullivan brings his years of experience at helping MSPs to evolve their service models from his time and over the last decade, has introduced thousands of MSPs to cloud workspace technologies that in aggregate increased MSP revenue by tens of millions of dollars. Pat formerly held roles with IndependenceIT, CloudJumper and most recently at […]