Account Takeover

The mechanics and motive of cloud account takeovers are the same as for on-prem account takeovers. In this scenario, the attacker gains access to a user or application account and uses this to gain access to more accounts and information. There are numerous ways to detect an account takeover:

• Login Location: conditional access can be used to prevent users logging in from 'suspicious' locations i.e. places where you do not do business.

• Failed Login Attempts: mass failed login attempts can be a sign of attempted account takeover.

• Lateral Phishing Emails: phishing emails originating from inside the domain can indicate a compromised account.

• Malicious OAuth, SAML, or OpenID Connect Connections: attacker could create a fake app that could require read, write and send permissions for SaaS offerings like Office 365. If this is granted user consent, it can be manipulated by the attacker.

• Abnormal File Sharing and Downloading: unusual sharing or download behaviour from users can indicate account takeover.