Account Takeover

The mechanics and motive of cloud account takeovers are the same as for on-prem account takeovers. In this scenario, the attacker gains access to a user or application account and uses this to gain access to more accounts and information. There are numerous ways to detect an account takeover:

Login Location: conditional access can be used to prevent users logging in from 'suspicious' locations i.e. places where you do not do business.
Failed Login Attempts: mass failed login attempts can be a sign of attempted account takeover.
Lateral Phishing Emails: phishing emails originating from inside the domain can indicate a compromised account.
Malicious OAuth, SAML, or OpenID Connect Connections: attacker could create a fake app that could require read, write and send permissions for SaaS offerings like Office 365. If this is granted user consent, it can be manipulated by the attacker.
Abnormal File Sharing and Downloading: unusual sharing or download behaviour from users can indicate account takeover.

Last updated 27 days ago

Account Takeover

Login Location: conditional access can be used to prevent users logging in from 'suspicious' locations i.e. places where you do not do business.
Failed Login Attempts: mass failed login attempts can be a sign of attempted account takeover.
Lateral Phishing Emails: phishing emails originating from inside the domain can indicate a compromised account.
Malicious OAuth, SAML, or OpenID Connect Connections: attacker could create a fake app that could require read, write and send permissions for SaaS offerings like Office 365. If this is granted user consent, it can be manipulated by the attacker.
Abnormal File Sharing and Downloading: unusual sharing or download behaviour from users can indicate account takeover.

Last updated 27 days ago