 back to blog

Azure AD Attackers Beware—Vectra Sees You

John Mancini
Product Management
May 6, 2021
Please note that this is an automated translation. For the most accurate information, refer to the original version in English.

In our most recent release, we have included a new detection capability we call Azure AD Privilege Operation Anomaly, to stop account takeovers in Azure AD. This AI algorithm was specifically designed to identify when attackers move in the Azure AD tenant to gain persistence, expand their reach, or take actions to evade detection.

Lately, we’ve seen an increase in attackers that have improved their ability to bypass multi-factor authentication (MFA) to infiltrate legitimate user accounts. Attackers are using their skills and targeting Azure AD to gain access to mission-critical SaaS applications ranging from customer relationship management (CRM) to cloud data storage to the full functionality of Office 365. Once an account is compromised, attackers will act within the environment to steal and ransom data. And since the attack leverages a trusted account, all these actions appear to be in full compliance according to cloud access security broker (CASB) software.

This shows why advanced detection and response in Azure AD and Office 365 is so important: it allows teams to be alerted as soon as an attack begins, already armed with complete knowledge of the attacker’s actions so that the attackers can be stopped before they reach their objectives.  

The new Vectra Cognito Azure AD Privilege Anomaly is a radical step forward when detecting account takeover events. Most importantly, it can detect when an account has been compromised and begins to abuse its privilege to give attackers increased access. The alert provides coverage across the full range of Azure AD actions that attackers perform, including the elevation of user privileges, modifications of application permissions, and changes to tenant access controls.

We achieved this comprehensive coverage by applying AI to go beyond simple signatures or rules. Vectra passively learns the exact minimum level of permissions that accounts use within Azure AD on a day-to-day basis. This “observed privilege” provides a more accurate representation of the accounts' operational permissions than what is dictated in Azure AD.  

The learned "observed privilege" is unique to every tenant and is identified for every account and all 100+ different Azure AD operations. Vectra applies this "observed privilege” lens to audit every action performed in Azure AD and identify when an account is compromised and abusing its privilege.  

Vectra can identify and stop attackers operating in your Microsoft Office 365 environment as well as any federated SaaS application using Azure AD. We know that attackers do not operate in silos, which is why Vectra tracks signs of attacker behavior across enterprise, hybrid, data center, IaaS and SaaS, all from a single point of control.

To learn more about Vectra, please feel free to contact us!

Want to learn more?

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. The Vectra platform and services cover public cloud, SaaS applications, identity systems and network infrastructure – both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization.

If you’d like to hear more, contact us and we’ll show you exactly how we do this and what you can do to protect your data. We can also put you in contact with one of our customers to hear directly from them about their experiences with our solution.

Get in touch