With the rising speculation of nation-state-sponsored attacks against Microsoft by Russia, SaaS Alerts are asking that all MSPs be hyper-vigilant at this time.
Beginning on March 7th, SaaS Alerts witnessed an increase of over 50% (above late February average activity) on event types, which indicate password spray, bruteforce, and non-interactive sign-in attacks – and this trend has continued throughout the day (March 8th) and to present.
SaaS Alerts’ engineering team
SaaS Alerts’ engineering team grew the sensitivity of monitoring non-interactive sign-in activity
Within the last 14 days, the SaaS Alerts’ engineering team increased the sensitivity of monitoring non-interactive sign-in activity. While this increase in data is modelled into these observations, the overall observed action increase has now been factored for this change.
These events cannot be conclusively attributed to any individual actor or group as the location distribution includes multiple countries with the US and China each making up 1/3 of the event origins and the remaining 1/3 spread across Russia, Brazil, and five additional international locales.
MFA and Conditional Access
SaaS Alerts recommends that all Partners continue use of the “Respond” Rules to observe accounts that are suspected of being successfully compromised based on unusual activity taken upon login, whether interactive or non-interactive.
Combined actions, such as mailbox rule changes+mfa changes+significant data downloads taken in rapid sequence may indicate a compromised account. Please remember that Token Hijacking can bypass MFA and Conditional Access.
SaaS Alert is aware that a limited number of M365 tenants are reporting Outside Approved Location tagging on some events that are false positives, and the engineering team is working to correct these limited incidents. SaaS Alerts will continue to provide additional information as it becomes available.
From facial recognition to LiDAR, explore the innovations redefining gaming surveillance
