Introduction
In today’s digital landscape, Software-as-a-Service (SaaS) platforms have become indispensable for businesses, offering unparalleled flexibly, scalability, and accessibly across locations. However, this convenience comes with a significant caveat - an expanded attack surface that cyber criminals are increasingly exploiting. In 2023, 96.7% of organizations reported security incidents involving at least one SaaS application [1].
Virtual private networks (VPNs) play a crucial role in SaaS security, acting as gateways for secure remote access and safeguarding sensitive data and systems when properly configured. However, vulnerabilities in VPNs can create openings for attacks to exploit, allowing them to infiltrate SaaS environments, compromise data, and disrupt business operations. Notably, in early 2024, the Darktrace Threat Research team investigated the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPNs, which would allow threat actors to gain access to sensitive systems and execute remote code.
More recently, in August, Darktrace identified a SaaS compromise where a threat actor logged into a customer’s VPN from an unusual IP address, following an initial email compromise. The attacker then used a separate VPN to create a new email rule designed to obfuscate the phishing campaign they would later launch.
Attack Overview
The initial attack vector in this case appeared to be through the customer’s email environment. A trusted external contact received a malicious email from another mutual contact who had been compromised and forwarded it to several of the organization’s employees, believing it to be legitimate. Attackers often send malicious emails from compromised accounts to their past contacts, leveraging the trust associated with familiar email addresses. In this case, that trust caused an external victim to unknowingly propagate the attack further. Unfortunately, an internal user then interacted with a malicious payload included in the reply section of the forwarded email.
Later the same day, Darktrace / IDENTITY detected unusual login attempts from the IP 5.62.57[.]7, which had never been accessed by other SaaS users before. There were two failed attempts prior to the successful logins, with the error messages “Authentication failed due to flow token expired” and “This occurred due to 'Keep me signed in' interrupt when the user was signing in.” These failed attempts indicate that the threat actor may have been attempting to gain unauthorized access using stolen credentials or exploiting session management vulnerabilities. Furthermore, there was no attempt to use multi-factor authentication (MFA) during the successful login, suggesting that the threat actor had compromised the account’s credentials.
Following this, Darktrace detected the now compromised account creating a new email rule named “.” – a telltale sign of a malicious actor attempting to hide behind an ambiguous or generic rule name.
The email rule itself was designed to archive incoming emails and mark them as read, effectively hiding them from the user’s immediate view. By moving emails to the “Archive” folder, which is not frequently checked by end users, the attacker can conceal malicious communications and avoid detection. The settings also prevent any automatic deletion of the rules or forced overrides, indicating a cautious approach to maintaining control over the mailbox without raising suspicion. This technique allows the attacker to manipulate email visibility while maintaining a façade of normality in the compromised account.
Email Rule:
- AlwaysDeleteOutlookRulesBlob: False
- Force: False
- MoveToFolder: Archive
- Name: .
- MarkAsRead: True
- StopProcessingRules: True
Darktrace further identified that this email rule had been created from another IP address, 95.142.124[.]42, this time located in Canada. Open-source intelligence (OSINT) sources indicated this endpoint may have been malicious [2].
Given that this new email rule was created just three minutes after the initial login from a different IP in a different country, Darktrace recognized a geographic inconsistency. By analyzing the timing and rarity of the involved IP addresses, Darktrace identified the likelihood of malicious activity rather than legitimate user behavior, prompting further investigation.
Just one minute later, Darktrace observed the attacker sending a large number of phishing emails to both internal and external recipients.
Darktrace / EMAIL detected a significant spike in inbound emails for the compromised account, likely indicating replies to phishing emails.
Furthermore, Darktrace identified that these phishing emails contained a malicious DocSend link. While docsend[.]com is generally recognized as a legitimate file-sharing service belonging to Dropbox, it can be vulnerable to exploitation for hosting malicious content. In this instance, the DocSend domain in question, ‘hxxps://docsend[.]com/view/h9t85su8njxtugmq’, was flagged as malicious by various OSINT vendors [3][4].
In this case, Darktrace Autonomous Response was not in active mode in the customer’s environment, which allowed the compromise to escalate until their security team intervened based on Darktrace’s alerts. Had Autonomous Response been enabled during the incident, it could have quickly mitigated the threat by disabling users and inbox rules, as suggested by Darktrace as actions that could be manually applied, exhibiting unusual behavior within the customer’s SaaS environment.
Despite this, Darktrace’s Managed Threat Detection service promptly alerted the Security Operations Center (SOC) team about the compromise, allowing them to conduct a thorough investigation and inform the customer before any further damage could take place.
Conclusion
This incident highlights the role of Darktrace in enhancing cyber security through its advanced AI capabilities. By detecting the initial phishing email and tracking the threat actor's actions across the SaaS environment, Darktrace effectively identified the threat and brought it to the attention of the customer’s security team.
Darktrace’s proactive monitoring was crucial in recognizing the unusual behavior of the compromised account. Darktrace / IDENTITY detected unauthorized access attempts from rare IP addresses, revealing the attacker’s use of a VPN to hide their location.
Correlating these anomalies allowed Darktrace to prompt immediate investigation, showcasing its ability to identify malicious activities that traditional security tools might miss. By leveraging AI-driven insights, organizations can strengthen their defense posture and prevent further exploitation of compromised accounts.
Credit to Priya Thapa (Cyber Analyst), Ben Atkins (Senior Model Developer) and Ryan Traill (Analyst Content Lead)
Appendices
Real-time Detection Models
- SaaS / Compromise / Unusual Login and New Email Rule
- SaaS / Compromise / High Priority New Email Rule
- SaaS / Compromise / New Email Rule and Unusual Email Activity
- SaaS / Compromise / Unusual Login and Outbound Email Spam
- SaaS / Compliance / Anomalous New Email Rule
- SaaS / Compromise / Suspicious Login and Suspicious Outbound Email(s)
- SaaS / Email Nexus / Possible Outbound Email Spam
Autonomous Response Models
- Antigena / SaaS / Antigena Email Rule Block
- Antigena / SaaS / Antigena Enhanced Monitoring from SaaS User Block
- Antigena / SaaS / Antigena Suspicious SaaS Activity Block
MITRE ATT&CK Mapping
Technique Name Tactic ID Sub-Technique of
- Cloud Accounts. DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS T1078.004 T1078
- Compromise Accounts RESOURCE DEVELOPMENT T1586
- Email Accounts RESOURCE DEVELOPMENT T1586.002 T1586
- Internal Spearphishing LATERAL MOVEMENT T1534 -
- Outlook Rules PERSISTENCE T1137.005 T1137
- Phishing INITIAL ACCESS T1566 -
Indicators of Compromise (IoCs)
IoC – Type – Description
5.62.57[.]7 – Unusual Login Source
95.142.124[.]42– IP – Unusual Source for Email Rule
hxxps://docsend[.]com/view/h9t85su8njxtugmq - Domain - Phishing Link
References
[1] https://wing.security/wp-content/uploads/2024/02/2024-State-of-SaaS-Report-Wing-Security.pdf
[2] https://www.virustotal.com/gui/ip-address/95.142.124.42
[3] https://urlscan.io/result/0caf3eee-9275-4cda-a28f-6d3c6c3c1039/
[4] https://www.virustotal.com/gui/url/8631f8004ee000b3f74461e5060e6972759c8d38ea8c359d85da9014101daddb
