Azure AD Attackers Beware—Vectra Sees You

May 6, 2021
John Mancini
Product Management at Vectra AI
Azure AD Attackers Beware—Vectra Sees You

In our most recent release, we have included a new detection capability we call Azure AD Privilege Operation Anomaly, to stop account takeovers in Azure AD. This AI algorithm was specifically designed to identify when attackers move in the Azure AD tenant to gain persistence, expand their reach, or take actions to evade detection.

Lately, we’ve seen an increase in attackers that have improved their ability to bypass multi-factor authentication (MFA) to infiltrate legitimate user accounts. Attackers are using their skills and targeting Azure AD to gain access to mission-critical SaaS applications ranging from customer relationship management (CRM) to cloud data storage to the full functionality of Office 365. Once an account is compromised, attackers will act within the environment to steal and ransom data. And since the attack leverages a trusted account, all these actions appear to be in full compliance according to cloud access security broker (CASB) software.

This shows why advanced detection and response in Azure AD and Office 365 is so important: it allows teams to be alerted as soon as an attack begins, already armed with complete knowledge of the attacker’s actions so that the attackers can be stopped before they reach their objectives.  

The new Vectra Cognito Azure AD Privilege Anomaly is a radical step forward when detecting account takeover events. Most importantly, it can detect when an account has been compromised and begins to abuse its privilege to give attackers increased access. The alert provides coverage across the full range of Azure AD actions that attackers perform, including the elevation of user privileges, modifications of application permissions, and changes to tenant access controls.

We achieved this comprehensive coverage by applying AI to go beyond simple signatures or rules. Vectra passively learns the exact minimum level of permissions that accounts use within Azure AD on a day-to-day basis. This “observed privilege” provides a more accurate representation of the accounts' operational permissions than what is dictated in Azure AD.  

The learned "observed privilege" is unique to every tenant and is identified for every account and all 100+ different Azure AD operations. Vectra applies this "observed privilege” lens to audit every action performed in Azure AD and identify when an account is compromised and abusing its privilege.  

Vectra can identify and stop attackers operating in your Microsoft Office 365 environment as well as any federated SaaS application using Azure AD. We know that attackers do not operate in silos, which is why Vectra tracks signs of attacker behavior across enterprise, hybrid, data center, IaaS and SaaS, all from a single point of control.

To learn more about Vectra, please feel free to contact us!