The Midnight Blizzard and Cloudflare-Atlassian cybersecurity incidents raised alarms about the vulnerabilities inherent in major SaaS platforms. These incidents illustrate the stakes involved in SaaS breaches — safeguarding the integrity of SaaS apps and their sensitive data is critical but is not easy. Common threat vectors such as sophisticated spear-phishing, misconfigurations and vulnerabilities in third-party app integrations demonstrate the complex security challenges facing IT systems. In the case of Midnight Blizzard, password spraying against a test environment was the initial attack vector. For Cloudflare-Atlassian, threat actors initiated the attack via compromised OAuth tokens from a prior breach at Okta, a SaaS identity security provider. What Exactly Happened? Microsoft Midnight Blizzard Breach Microsoft was targeted by the Russian "Midnight Blizzard" hackers (also known as Nobelium, APT29, or Cozy Bear) who are linked to the SVR, the Kremlin's foreign intelligence service unit. In the Microsoft breach, the threat actors: Used a password spray strategy on a legacy account and historic test accounts that did not have multi-factor authentication (MFA) enabled. According to Microsoft, the threat actors "[used] a low number of attempts to evade detection and avoid account blocks based on the volume of failures." Leveraged the compromised legacy account as an initial entry point to then hijack a legacy test OAuth app. This legacy OAuth app had high-level…Read More