LATEST INTELLIGENCE
IDENTITY UNDER ATTACK
ATTACKERS WON’ T BREAK IN WHEN THEY CAN WALK IN THROUGH THE FRONT DOOR. WEARING YOUR BADGE, USING YOUR VOICE, AND HOLDING YOUR CREDENTIALS.
It’ s Tuesday
10.47am
A service account in Entra ID has authenticated from an unfamiliar IP range associated with a residential ISP in another country. The login uses a legacy authentication protocol that bypasses conditional access evaluation – something the account technically still allows for with an older integration. In an environment generating hundreds of identity alerts daily, it joins a triage queue that the on-call analyst plans to review after lunch.
11.15am
A SharePoint admin notices something harder to dismiss. Permission structures have been modified for a document library tied to the Product Management department, granting Site Collection Administrator privileges. The changes look administrative. They carry a valid OAuth token issued through Entra ID. But nobody on the SharePoint team made them, and nobody requested them.
11.30am
The signals start arriving faster than anyone can contextualize them: a global admin account in Microsoft 365. A global admin account in Microsoft 365 has initiated a bulk export of Exchange mailbox data without a corresponding eDiscovery hold.
At the same time, several subtle policy changes appear in Entra ID Conditional Access:
• Two service accounts are now excluded from MFA enforcement
• A previously blocked retired authentication pathway has been re-enabled
• A new token lifetime policy extends refresh tokens to 90 days
Meanwhile, in Salesforce, an OAuth token tied to a connected application has begun pulling CRM records at a volume that suggests systematic extraction, and the integration was approved months ago by someone who has since left the organization. •
PRESENTED BY 22
INTELLIGENT CIO AFRICA www. intelligentcio. com