Global Campaign Targeting SaaS Identities: Attack Analysis

Technical Report: Identity Attacks Analysis

‍

Over the last month, Reco witnessed a specific, semi-automated, global campaign originating from Phoenix, Arizona, primarily targeting authentication systems such as Azure Active Directory, Okta, and Office 365. While we were able to trace it back to November 2024, we believe this campaign is still ongoing and have established controls to alert and detect these attacks on customer environments.

‍

The attacks originated from a limited set of ASNs and IP addresses, with a strong correlation to VPN and proxy usage. This analysis identifies attack patterns, attacker infrastructure, targeted accounts, and security measures that prevented or allowed account takeovers.

Key Findings

‍

Attack Trends Over Time

• The attacks were not random; they occurred in spikes, indicating coordinated efforts rather than opportunistic attempts.
• Peak attack periods aligned with working hours in targeted regions, suggesting human-operated attack waves rather than fully automated botnets.
• The total number of attempts is not staggering, meaning the threat actors behind this campaign are attempting to perform slow Credentials Stuffing.
• The IP’s in question are in fact linked to known Phishing techniques, using known frameworks, such as Evilginx2 (AiTM - more info here).

Most Active ASNs & IPs

• Attacks originated from a few highly active ASNs:
  
  • Global Connectivity Solutions LLP - AS215540 (Repeated use in attacks)
  • Global Internet Solutions LLC - AS207713
• Top Attacker IPs:
  
  • 212.18.104.5 
  • 2a05:541:116:4::1 
  • 2a00:b703:fff2:41::1 
  • 2a00:b703:fff2:42::1 

Top Targeted Applications & Services

• Azure Active Directory – Primary target, likely for credential stuffing and account takeover attempts.
• Okta – Secondary focus, indicating interest in cloud authentication.
• Office 365 – Email-based attacks targeting Exchange Online.
• Microsoft Teams – Less frequent, but shows interest in corporate collaboration tools.

Attack Success vs. Failure Rates

• High number of failed attacks, largely due to MFA enforcement and rate-limiting protections.
• Successful attacks were observed, meaning some accounts either lacked MFA, had weak credentials, or were accessed via session hijacking.

Attack Geolocation Trends

• Attacks were concentrated in a few high-risk regions.
• VPN and proxy usage was common, indicating attempts to obfuscate true attacker locations.

Attack Sequences & Behavior

• Credential stuffing detected – repeated failed logins before a successful attempt.
• MFA Challenges:
  
  • No direct MFA bypass observed, but multiple failed MFA attempts indicate resistance.
  • Attackers switched IPs and devices after failures, indicating manual intervention.
• User Agents:
  
  • A mix of desktop browsers (Chrome, Firefox, Edge) and mobile logins (iOS, Android).
  • Some anomalies included headless browser activity, suggesting automation.

VPN & Proxy Usage

• Hosting providers were heavily used – attackers avoided residential ISP connections.
• Attacks via VPNs had lower success rates, suggesting they were blocked or detected.
• Some ASN-linked IPs showed repeated failures, likely flagged by security systems.

Indicators of Compromise (IOCs)

‍

User Agents involved:

• Axios/1.7.9
• BAV2ROPC 
• Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
• Accountsd/113 CFNetwork/1568.200.51 Darwin/24.1.0 

Attack Timings

• Peak attack hours: Aligned with corporate login windows in targeted regions.
• Rapid attempts within 5-minute intervals, suggesting automation, used with “axios/1.7.9”.

Observed Attack Methods

• Credential stuffing (multiple failed logins, followed by a success).
• MFA abuse (repeated MFA attempts, but no direct bypasses recorded).
• Session hijacking success, with users confirming sign-ins in some instances, resulting in an account takeover.

Recommendations

• Strong, Mandatory MFA such as FIDO2 and Passkeys are to be enforced across all accounts.
• Conditional Access Policies and and IP blocking are key for preventing attacks originating from unknown locations, including alerting when a threshold of failed sign in has increased.
• Increase visibility into headless browser logins, as they indicate automation.

What to do if Compromised

1. Block IP range entirely: use your firewall or security tools to block access from the identified IP to prevent further intrusion
2. Investigate the origin: Review logs and any associated activity from the flagged IP to understand the nature of access (e.g. time of access, attempted resources).
3. Isolate Affected Accounts: If the malicious IP accessed any accounts, temporarily suspend those accounts and require password resets.

‍How Reco Can Help

‍

‍Reco uses identity threat detection and response (ITDR) to monitor for unusual behavior across SaaS application identities. It surfaces real-time alerts when signs of compromise are detected. Reco will flag suspicious activity, like excessive downloads by a suspicious IP, unusual snooping on categorized data, or impossible travel. The alerts will be surfaced through your SIEM or SOAR so your Security team can act immediately.

Interested in securing your SaaS with Reco? Schedule a demo today.