Joyce Teo

APT29 Phishing Attacks via Microsoft Teams: Tactics, Techniques, and Prevention

Overview of the Threat Actor: APT29 (Midnight Blizzard)

APT29, also known as Midnight Blizzard, NOBELIUM, UNC2452, or Cozy Bear, is a highly sophisticated Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation (SVR). Midnight Blizzard (NOBELIUM) primarily targets governments, diplomatic entities, NGOs, and IT service providers in primarily the US and Europe. Their primary objective is to collect and exfiltrate intelligence through espionage of foreign interests and government. They utilise diverse initial access methods ranging from stolen credentials, domain takeover, phishing and exploitation of on-premises environments to laterally move to the cloud exploiting service providers’ trust chain to gain access to downstream customers.

How does APT29 use Microsoft Teams for phishing campaigns?

Step 1: Compromising and spoofing tenant domains

Midnight Blizzard begins operations by conducting password spray attacks that successfully breached an outdated, non-production test tenant account lacking multifactor authentication (MFA) or purchasing abandoned corporate domains on dark web markets. Furthermore, the threat actor increased stealth by routing their activity through a distributed residential proxy network. These tactics helped conceal their actions and allowed them to maintain the attack over time until they achieved access.

Between 2023-2025, the group systematically:

  • Renamed compromised tenants to mimic trusted entities (e.g., “Contoso IT Support”)
  • Created. onmicrosoft[.]com” subdomains likesupport-contoso[.]onmicrosoft.com”to bypass domain reputation checks
  • Registered lookalike domains such as “microsoft-support[.]tech” with valid TLS certificates to host phishing pages

This infrastructure spoofing enabled the threat actor to send Teams messages appearing as internal notifications, with most of the targets perceiving them as legitimate due to Microsoft-branded headers.

Step 2: Social Engineering

During this step, Midnight Blizzard either has obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account; both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.

  1. Teams request to chat

The target receives a Microsoft Teams message request as a member of the security team or technical support team.

  1. Request authentication app action

Once the victim accepts the message request, the threat actor convinces the victim to input a code into their Microsoft Authenticator app.

  1. Successful MFA authentication

Once the user complies with the threat actor’s instructions, the threat actor gains the token to authenticate as the victim. This allows the threat actor to gain access to the victim’s M365 account. The threat actor then follows up with their post-compromise exploitation.

Step 3: Post-Compromise Exploitations

The threat actor then proceeds with post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant.  

  1. Malicious use of OAuth applications

Once the threat actor gains access to the targeted tenant as the victim, they create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity. The misuse of OAuth also enables threat actors to maintain access to applications, even if they lose access to the initially compromised account. Midnight Blizzard leveraged their initial access to identify and compromise any legacy test OAuth application that had elevated access to the Microsoft corporate environment. The threat actor creates additional malicious OAuth applications. In certain scenarios, the threat actor used the legacy test OAuth application to grant them the Office 365 Exchange Online “full_access_as_app” role, which allows access to mailboxes to gain access to tenant users and perform exfiltration and phishing.

Moreover, Midnight Blizzard has also been known to abuse OAuth applications in past attacks against other organisations using the “EWS.AccessAsUser.All” Microsoft Graph API role or the Exchange Online “ApplicationImpersonation” role to enable access to email.

For a deeper technical breakdown of how APT29 exploits cloud-native services and OAuth abuse in Microsoft 365, see our detailed analysis: APT29 in the Cloud – A Comprehensive Analysis of Threats and Detection Strategies.

  1. Adding Malicious Devices to Compromised Tenant

In other instances, Midnight Blizzard attempts to register a device with the organisation’s Microsoft Entra ID (formerly Azure Active Directory) in an effort to enrol it as a managed or compliant device. This tactic is designed to bypass Conditional Access policies that restrict access to sensitive resources such as email, SharePoint, or Teams to only devices that are marked as compliant or hybrid Azure AD-joined. By registering their own infrastructure as a managed device, the actor seeks to meet these conditional access requirements without raising immediate suspicion. When abused by a threat actor, it allows malicious endpoints to masquerade as trusted devices, thereby evading key security controls designed to prevent unauthorised access.

In newer campaigns, Volexity published a blog post on Russia-linked threat actors, tracked as UTA0352 and UTA035 conducting similar phishing campaigns abusing Microsoft OAuth 2.0 to target entities with ties to Ukraine.

Compared to Midnight Blizzard campaigns, the resource requested is for the Device Registration Service. This service is used by Windows to join new devices to Entra ID. The attacker uses this access to enrol a new device to the victim’s Entra ID. Using the ROADTools project, Volexity is able to replicate these steps to create a new token with full permissions for Microsoft Graph API access. This technique leverages a flaw in the Entra ID API design to grant an access token with a greater level of access than initially granted.

In one observed interaction, UTA0355 requested that the victim approve a two-factor authentication (2FA) prompt under the guise of accessing a SharePoint site tied to a conference. This step was critical for bypassing additional security controls enforced by the victim’s organisation, ultimately enabling the attacker to gain access to the victim’s email.

  1. Lateral Movement via Teams Chats

Once the threat actor successfully compromises an account, they are able to impersonate the legitimate user within the organisation. Leveraging this impersonation capability, the attacker continues their intrusion by sending phishing messages via Microsoft Teams to additional users listed in the tenant’s directory. These messages often appear as legitimate communications from a trusted colleague, increasing the likelihood of the recipients engaging with malicious content, such as links to credential-harvesting sites or weaponised attachments. This lateral movement technique allows the attacker to propagate their access within the environment, compromise more accounts, and establish a wider foothold for further exploitation or data exfiltration.

MITRE ATT&CK MAPPING

How to Detect APT29 Activity with InsiderSecurity CSX

Organisations can detect and respond to these threats with advanced cloud-native monitoring. InsiderSecurity CSX provides robust detection use cases, including:

  1. Abnormal Token tenant ID
  2. Unusual App Given Access (Azure, GWS, M365)
  3. Application Credentials Added
  4. Third Party Cloud Application Installed
  5. Email forwarding settings changed
  6. User Updated Mailbox Rules
  7. SharePoint/OneDrive Data Theft
  8. Unusual User Agent
  9. Unusual User IP address

Zero Trust Security and continuous behavioural analytics are essential in detecting modern identity-based attacks.

CONCLUSION

In conclusion, phishing campaigns via Microsoft Teams have emerged as a sophisticated and highly targeted attack vector exploited by the Russian APT group Midnight Blizzard (also known as APT29 or Cozy Bear) primarily for espionage purposes. Leveraging compromised Microsoft 365 tenants, the group crafts convincing social engineering lures that impersonate technical support to trick users into revealing credentials or approving multifactor authentication prompts, enabling persistent access to sensitive environments. To defend against such threats, organisations should enforce strict identity and access management controls, implement robust user awareness training focused on social engineering tactics, and apply continuous monitoring of authentication events and external collaboration activities to detect and mitigate unauthorised access attempts early.

Indicators of Compromise (IoCs)

DomainTypeDescription
msftprotection.onmicrosoft[.]comDomain nameMalicious actor-controlled subdomain
mlcrosoftaccounts.onmicrosoft[.]comDomain nameMalicious actor-controlled subdomain
msftonlineservices.onmicrosoft[.]comDomain nameMalicious actor-controlled subdomain
msonlineteam.onmicrosoft[.]comDomain nameMalicious actor-controlled subdomain
msftservice.onmicrosoft[.]com       Domain nameMalicious actor-controlled subdomain
noreplyteam.onmicrosoft[.]com    Domain nameMalicious actor-controlled subdomain
accounteam.onmicrosoft[.]com    Domain nameMalicious actor-controlled subdomain
teamsprotection.onmicrosoft[.]coDomain nameMalicious actor-controlled subdomain
identityVerification.onmicrosoft[.]comDomain nameMalicious actor-controlled subdomain
accountsVerification.onmicrosoft[.]comDomain nameMalicious actor-controlled subdomain
azuresecuritycenter.onmicrosoft[.]comDomain nameMalicious actor-controlled subdomain
teamsprotection.onmicrosoft[.]com   Domain nameMalicious actor-controlled subdomain

Exploitation of “xp_cmdshell” in MS SQL: Critical Risks & How to Defend

What is xp_cmdshell

xp_cmdshell is an extended stored procedure in Microsoft SQL Server that allows users to execute Windows shell commands from the SQL Server environment. While it is a powerful feature designed for administrative tasks, it can also be abused by attackers to gain initial access, escalate privileges, and move laterally within a network. The Windows process spawned by xp_cmdshell has the same security rights as the SQL Server service account. 

How does xp_cmdshell execute Windows commands? 

When xp_cmdshell is executed, it spawns a command shell on the Windows operating system and runs the specified command. The command is executed with the privileges of the SQL Server service account, and this determines the level of access the attacker has to the underlying system. 

Below are the service accounts that are commonly used to execute the command: 

  1. SQL Server Service Account: By default, xp_cmdshell executes commands under the context of the service account running the SQL Server instance. 
  1. “NT AUTHORITY\SYSTEM” (Local System) – Full administrative privileges. 
  1. “NT SERVICE\MSSQLSERVER” (Default SQL Server service account) – Limited privileges. 
  1. A domain service account  
  1. Proxy Account (Optional): If configured, xp_cmdshell can use a lower-privileged proxy account instead of the SQL Server service account.  

If the user is not a member of the SysAdmin Role, the xp_cmdshell will execute the commands using the account name and password stored in the credential named “xp_cmdshell_proxy_account”

The main vulnerability is that the service account often has more privileges than the executed processes require, which means it should be enabled for some specific users only.  

Why is xp_cmdshell susceptible to attacks? 

Several factors contribute to the security risks associated with xp_cmdshell

  1. Privilege Levels – Since xp_cmdshell executes commands with the SQL Server service account’s privileges, it can be extremely dangerous if that account has administrative rights on the system. 
  1. Weak Authentication & Misconfigurations – Poorly secured SQL Servers with weak credentials or default settings make it easier for attackers to gain access and enable xp_cmdshell
  1. SQL Injection Exploits – If an application connected to SQL Server is vulnerable to SQL injection, attackers can execute commands through xp_cmdshell without even having direct access to the database. 
  1. Lack of Monitoring & Logging – Many organisations fail to properly monitor SQL Server logs, allowing attackers to enable xp_cmdshell and execute commands undetected. 
  1. Lateral Movement Capabilities – Once an attacker gains control of a system via xp_cmdshell, they can use built-in Windows tools like psexec and wmic to pivot to other machines in the network. 
  1. Persistence Mechanisms – Attackers can use xp_cmdshell to create scheduled tasks or modify registry entries to maintain long-term access. 

MITRE ATT&CK MAPPING

The misuse of xp_cmdshell aligns with several MITRE ATT&CK tactics and techniques below:

Real-world exploitation techniques of xp_cmdshell  

By default, xp_cmdshell is disabled in modern versions of SQL Server, but attackers often attempt to enable it during exploitation. If enabled, it provides a direct path to executing malicious commands, downloading additional payloads, and gaining full control over the compromised system. 

 Thus, attackers begin by checking if xp_cmdshell is enabled and if it isn’t, they proceed to enable it. 

If the MSSQL returns an error, then the attacker enables xp_cmdshell with the following command: 

Following the enabling of xp_cmdshell, attackers then execute a reverse shell to maintain access and conduct further exploitation. Commonly, attackers encode their reverse shell command to evade security measures.  Below is an example: 

Once the payload is executed through xp_cmdshell, a reverse shell connection is spawned and connectable by the attacker with access to a privileged service account. 

How xp_cmdshell misconfiguration enable SQL Injection to Target the OS 

In many environments, SQL Server runs with high privileges, sometimes as Local System or an administrator-level service account. This means any command executed through xp_cmdshell inherits these privileges, allowing an attacker to perform system-wide operations. If the SQL Server service account has excessive permissions, an attacker exploiting xp_cmdshell could execute an SQL Injection Leading to OS Exploitation. Below are the following examples: 

Exploiting a Vulnerable Web Application 

Consider a login form with an improperly sanitised SQL query: 

An attacker could input the following payload in the username field: 

This forces the database to execute whoami, revealing the privilege level of the SQL service account. With administrative privileges, an attacker can: 

  1. Add a new administrator account 
  1. Download and execute a backdoor 

Exploiting MSSQL Access via Reverse Proxy 

If an attacker has gained access to an MSSQL server through a reverse proxy (e.g., from an initial foothold), they can use xp_cmdshell to further escalate privileges: 

If the server is domain-joined, they can attempt lateral movement: 

They may also dump credentials: 

Remediation Against xp_cmdshell exploitation 

To defend against xp_cmdshell exploitation, organisations should disable it unless necessary and enforce strict authentication for database access. The SQL Server service account should have minimal privileges, preventing it from executing system-wide commands. Logging and monitoring tools should be used to detect unauthorised use of xp_cmdshell. Implementing network segmentation and restricting database access to trusted systems can limit lateral movement. Additionally, web applications should be hardened against SQL injection by using parameterised queries and Web Application Firewalls (WAFs). Regular security audits and vulnerability assessments should be conducted to identify misconfigurations and reduce exposure to attacks. 

Implementation of an automated response and alert system can be done through InsiderSecurity’s Database Activity Monitor (DAM).  

Conclusion

xp_cmdshell is a powerful yet dangerous feature in MS SQL Server. While it can facilitate administrative tasks, it is also a prime target for attackers seeking initial access and privilege escalation. Organisations must disable xp_cmdshell when not needed, enforce strict security policies, and monitor their SQL environments for potential exploitation attempts. 

By understanding the risks and attack vectors associated with xp_cmdshell, security teams can better defend against cyber threats and ensure the integrity of their SQL Server deployment. 

Staying ahead of cyber threats

Looking for ways to stay ahead of any cyber threats? InsiderSecurity provides advanced cybersecurity behaviour analytics products that help your company to uncover cyber threats before there is any serious data loss. We offer a range of solutions, including Automated UEBA for securing on-premise and cloud IT infrastructure, as well as the CSX for ensuring cloud data security.   

DAM is designed to detect sophisticated attacks described in this article making it an essential subscription for any organisation serious about its cybersecurity posture. Beyond detecting threats, DAM offers recommendations and a user-friendly avenue for executing remedial actions and implementing mitigation strategies.  

InsiderSecurity Recognised as One of Asia-Pacific’s High-Growth Companies by Financial Times

Singapore, 25 March 2025 – InsiderSecurity, a leader in cybersecurity innovation, has been named one of Asia-Pacific’s High-Growth Companies 2025 by the Financial Times and Statista, cementing its position as a key player in the region’s rapidly expanding cybersecurity sector. This recognition underscores InsiderSecurity’s dynamic growth and its pivotal role in safeguarding organisations across Asia-Pacific against evolving cyber threats. 

Explore the full Financial Times list here.

Accelerating Growth Through Advanced Cybersecurity Solutions 

Headquartered in Singapore, InsiderSecurity is an award-winning cybersecurity software company on a mission to simplify digital security for enterprises, critical infrastructure and governments. Its suite of cutting-edge solutions—including CSX, Database Activity Monitor (DAM), and Smart Log Review —empowers organisations to detect, analyse, and mitigate threats efficiently in today’s fast-paced digital economy. 

With its R&D and strong support based in the region, InsiderSecurity solutions help to address the unique cybersecurity challenges faced by organisations across Asia-Pacific. 

Trailblazing Industry Firsts 

InsiderSecurity continues to set benchmarks in cybersecurity excellence. It is the first ASEAN cybersecurity company to achieve CSA STAR Level 2 certification, the gold standard for cloud security, alongside ISO 27001 accreditation for world-class information security management. 

The firm also earned distinction as the first cybersecurity provider accredited by Singapore’s Infocomm Media Development Authority (IMDA) in User and Entity Behavior Analytics (UEBA), a critical capability for identifying sophisticated insider threats and external attacks. 

These achievements reflect InsiderSecurity’s commitment to advancing cybersecurity standards and delivering trusted solutions that meet global compliance requirements. 

Exceptional Growth Metrics

InsiderSecurity’s inclusion in the Financial Times High-Growth Companies Asia-Pacific 2025 list is backed by impressive financial and operational growth metrics: 

  • Absolute Growth Rate: 513.04% 
  • Compound Annual Growth Rate (CAGR): 83.02% 
  • InsiderSecurity ranking: 105th out of the top 500 companies 

These figures highlight InsiderSecurity’s remarkable trajectory, driven by its innovative solutions. 

Why This Recognition Matters 

Inclusion in the Financial Times High-Growth Companies Asia-Pacific 2025 list highlights InsiderSecurity’s remarkable revenue growth and its ability to deliver scalable, impactful solutions.  

It is a strong testimonial that InsiderSecurity delivered effective cybersecurity solutions for our customers. 

This accolade follows InsiderSecurity’s earlier recognition as one of Singapore’s Fastest-Growing Companies by The Straits Times and Statista, further validating our focus on innovation and customer value. 

Looking to the Future 

InsiderSecurity remains dedicated to its mission: simplifying cybersecurity for organisations across Asia-Pacific and beyond. By combining deep regional expertise with globally certified technologies, the company is poised to empower businesses to thrive securely. 

Learn more about InsiderSecurity’s solutions at www.insidersecurity.co. 

About Financial Times High-Growth Companies Asia-Pacific 

The Financial Times’ High-Growth Companies Asia-Pacific ranking, produced with Statista, identifies organisations that have achieved extraordinary revenue growth between 2020 and 2023. The list celebrates innovation, agility, and resilience in one of the world’s most dynamic economic regions. 

About InsiderSecurity 

InsiderSecurity is an award-winning cybersecurity company headquartered in Singapore. A pioneer in ASEAN, it holds CSA STAR Level 2  and  ISO 27001 certifications and is IMDA-accredited for its UEBA innovations. Its solutions are trusted by government agencies, critical infrastructure operators, and enterprises to combat advanced cyber threats. 

M365 Botnet Password Spraying Attack 

Introduction

SecurityScorecard discovered that Microsoft 365 (M365) tenants globally are targeted with password spraying attack by a nation state threat actor. These attacks exploit non-interactive sign-ins with Basic Authentication. This enables threat actors to bypass modern login protections by evading Multi-Factor Authentication (MFA). The botnet, active since at least December 2024​​, was composed of over 130,000 devices working in the Asia/Shanghai timezone. 

Attack Overview

According to SecurityScorecard, the botnet consists of over 130,000 compromised devices controlled by six command and control (C2) hosted on servers in United States​. These botnets route their traffics through proxies hosted on China affiliated hosting servers, UCLOUD HK and CDS Global Cloud. The threat actor targets M365 accounts across multiple organizations. These attacks employ Tactics, Techniques & Procedures (TTP) such as Password spraying, non-interactive sign-ins, Basic authentication abuse, Use of stolen credentials and Proxy-based evasion. The botnet uses stolen credentials from infostealer logs to systematically attempt login to M365 accounts by using Non-Interactive sign-ins. This allows the threat actor to evade Multifactor Authentication (MFA) enforcement and bypass Conditional Access Policy (CAP)​. Due to these logins being logged as Non-Interactive Sign-In, it results in reduced security visibility. Commonly, Non-Interactive Sign-In are used for service-to-service authentication, legacy protocols (e.g., POP, IMAP, SMTP), and automated processes thus not triggering MFA in many configurations. Basic Authentication enabled in some environments, allows credentials to be transmitted in plain form, making it a prime target for threat actors.  

Mapping the attack to MITRE ATT&CK framework 

We can map the attacks to the following Tactics, Techniques, and Procedures (TTPs) in MITRE. 

Attack Analysis 

The threat actor performs password spraying through Non-Interactive Sign-In in order to gain access to M365 accounts. Events associated with spraying attacks through these botnets use “fasthttp” user agent string as detected by SpearTip Security Operations Center. Fasthttp is a high-performance HTTP server and client library for the Go programming language, designed to handle HTTP requests. All observed attempts have targeted the Azure Active Directory Graph API (Application ID: 00000002-0000-0000-c000-000000000000). Data analyzed from a large set of Microsft 365 tenants indicates that “fasthttp” was first observed as a user agent on January 6th, 2025. Further investigation led to the discovery of six Command and Control (C2) servers with these IP addresses:  

  1. 70.39.115.74  
  1. 70.39.120.10  
  1. 204.188.218.178 
  1. 204.188.218.179 
  1. 204.188.210.226 
  1. 204.188.210.227  

Investigating the C2 servers reveals 10 open ports that are being used for various purposes. The list of ports used by the C2 servers are:  

Port Service Possible Use 
1002 Unknown Unknown 
2181 Zookeeper Kafka 
3306 MySQL Data storage or Botnet Configuration 
6379 Redis Key-value store 
7779 Unknown Unknown 
8081 Jetty web service Zookeeper query service 
10050 Zabbix Agent Potential botnet monitoring 
33060 MySQL X Protocol Likely used with MySQL service 
12341  Botnet C2 channel (Client Registration) 
12342  Possibly used for tasking infected hosts 
12347  Possible data exfil or backup C2 
12348  High probability of main C2 command execution 

These servers run Apache Zookeeper, a distributed system coordination framework, suggesting the likely use of a distributed campaign infrastructure. Notably, the presence of Zookeeper—an industry-standard for distributed systems—may indicate a sophisticated threat actor with advanced software engineering expertise, considering the challenges of maintaining a Zookeeper cluster at scale. Port 8081 remains unrestricted, allowing server queries that revealed additional details including uptime information. Further analysis of the Zookeeper nodes indicates they also operate Apache Kafka. 

Remediation

For remediation, implementing a robust monitoring strategy across all M365 environments. This includes monitoring Non-interactive Sign-In access logs for the presence of unknown or suspicious user agents that may indicate malicious activity. M365 environment administrator should enforce an immediate password reset for all compromised accounts and invalidate active sessions to prevent further unauthorized access.  

In addition, the deployment of automated alerts and remediation workflows is essential for reducing response times and minimizing the overall impact of an attack. By integrating automated detection systems with remediation protocols, organizations can ensure that security teams are alerted in real time, enabling them to take swift, targeted actions. This not only improves operational efficiency but also ensures that security breaches are mitigated with minimal delay. It is imperative that these processes be continuously reviewed and updated to address evolving threat tactics and maintain a high level of protection for M365 environments. 

Implementation of an automated response and alert system can be done through InsiderSecurity’s CSX.  

CSX dashboard highlights multiple failed login attempts from different IP addresses into the same user account, helping security teams quickly identify potential brute-force or credential-stuffing attacks.

Staying ahead of cyber threats  

Looking for ways to stay ahead of any cyber threats? InsiderSecurity provides advanced cybersecurity behavior analytics products that help your company to uncover cyber threats before there is any serious data loss. We offer a range of solutions, including Automated UEBA for securing on-premise and cloud IT infrastructure, as well as the CSX for ensuring cloud data security.   

CSX is designed to detect sophisticated attacks described in this article making it an essential subscription for any organization serious about its cybersecurity posture. Beyond detecting threats, CSX offers recommendations and a user-friendly avenue for executing remedial actions and implementing mitigation strategies.  

CSX provides an easy way to perform mitigation and remediation.

​​​ 

What is UEBA? A Quick Guide to User and Entity Behavior Analytics (UEBA)

Visibility into user actions is one of the critical challenges in the modern digital landscape. Traditional rule-based security solutions that generate a high number of alerts within modern environments are no longer practical; a new approach is needed. This is where User and Entity Behavior Analytics (UEBA) emerges as a critical security component, providing cybersecurity teams with visibility into user behaviors. Powered by technologies such as Artificial Intelligence and Machine Learning, UEBA establishes baselines for regular user activity within a network and then identifies deviations from these baselines. This empowers cybersecurity teams to detect advanced attacks, such as insider threats and zero-day exploits, which can easily slip under the radar of traditional security products.

What is UEBA?

UEBA utilizes a data-driven approach to cybersecurity by baselining normal behavior using advanced technologies such as machine learning. Any activity that deviates from this baseline is flagged for investigation. This advanced analytics approach enables it to detect subtle, advanced attacks that would be undetectable by controls like firewalls and anti-malware solutions. UEBA has emerged as a critical defense in modern cybersecurity frameworks as attacks increase in sophistication and complexity.

An example of where UEBA can provide visibility is in cases of compromised accounts. Credential compromise is an extremely difficult attack to detect once the attacker has successfully authenticated using the stolen credentials. However, UEBA can detect patterns in user behavior that are indicative of suspicious activity and flag them for review, potentially averting a cybersecurity incident.

Another example would involve insider threats, which are even more challenging to detect than compromised accounts. An employee abusing the authorized access they have been granted can be detected by UEBA, due to unusual file access patterns or data exfiltration attempts that might go unnoticed by other solutions.

How does UEBA work?

UEBA applies the power of machine learning to detect anomalies within the massive amounts of data generated in an environment. A UEBA solution is typically implemented in the following steps:

  • Data Ingestion and Aggregation: A UEBA requires visibility into the environment to work effectively. This is achieved by gathering and aggregating data from audit logs, network traffic, authentication, and authorization systems, etc. This data is crucial for the UEBA to learn the environment.
  • Baselining: In this phase, the UEBA utilizes its powerful machine learning algorithms to develop a baseline of what is and is not normal within the environment. The more information about the environment the UEBA learns, the better it is at detecting potential malicious activity. This baseline is not static and evolves over time as user behavior changes.
  • Monitoring: In this phase, the UEBA starts monitoring and flagging anomalies such as unusual privileged activity, unusual logins, excessive file downloads, etc. The nuanced and intelligent approach it provides to cybersecurity monitoring makes it a powerful tool within an environment that complements existing endpoint and network security controls.

UEBA use cases

UEBA can handle various use cases within cybersecurity due to its behavior-centric model. Let us take a look at some of the critical scenarios where UEBA can be particularly effective:

  • Insider Threats: Employees with malintent can cause significant damage to an organization by abusing the authorized access they have been granted. A UEBA can detect such malicious intent by identifying patterns of behavior that differ from how the employee typically operates, such as working at odd hours, unusual logins, excessive downloads, etc. This can be extremely effective for organizations that grant employees access to highly sensitive data or during periods of high turnover, where the risk of disgruntled employees is high.
  • Compromised Accounts: Attackers can compromise user credentials to gain access to an environment to carry out cyberattacks. The same principle as the previous scenario applies here, where the UEBA could detect deviations from how the user usually operates and flag it for review.
  • Brute-force Attacks: Repeated attempts to guess passwords or gain access to a system can indicate an employee trying to access unauthorized systems. UEBA can detect and flag this behavior, which may indicate a larger attack or fraud.
  • Privilege Abuse and Misuse: Users with high privileges within an environment carry a higher level of risk than traditional employees. They can be socially engineered into handing over their credentials or attempting to abuse the access themselves. A UEBA solution can detect if an admin-level user behaves in a way that is different from their traditional activities, leading to early detection of malintent.
  • Privilege Escalation: The first step that attackers carry out once they have compromised an environment is to elevate their privileges. This enables them to carry out further attacks and establish a foothold within the environment. UEBA can detect such elevation of privileges and proactively flag such permission changes to the cybersecurity teams.
  • Unauthorized Data Access & Exfiltration: Data leakage is another crucial risk area that is often difficult to defend against. Employees can attempt to circumvent the organization’s policies by exfiltrating data, or the same can be part of a more significant cyberattack. UEBA can detect such data transfers and sound an early alarm to avert a potential data breach.
  • Automated Risk Prioritization: UEBA recognizes that not all events are equal and prioritizes its alerts based on intelligent risk scoring. This enables cybersecurity teams to focus on those events that require immediate attention and prevents them from drowning in “alert fatigue.”

These scenarios highlight the versatility of UEBA as a security component and its ability to adapt to different types of security scenarios within an organization.

How InsiderSecurity can help with Automated UEBA

Cyberattacks are increasing in complexity every year, and it is clear that UEBA is one of the most critical controls to implement to protect against today’s advanced attacks. InsiderSecurity’s Automated UEBA can help protect your organization with its unique features that set it apart from SIEMs:

  • Comprehensive Defense: The ability to protect data both on-premises and in the cloud provides a consolidated line of defense against attacks. Cybersecurity teams can obtain clear visibility into how data is accessed, used, and moved between environments.
  • Advanced Threat Detection: Automated UEBA leverages advanced machine learning algorithms to detect suspicious activity at both the user and network levels, empowering cybersecurity teams to take swift remedial action.
  • Cost Savings: With reduced raw log volumes and fewer IT analysts needed, save on manpower. Our solution solves today’s modern threats and enables organizations to reduce the risk of security events without compromising productivity. UEBA is a crucial strategic control in any modern environment, and we are here to guide you through this essential journey with our state-of-the-art solution.

Our solution addresses today’s modern threats and enables organizations to reduce the risk of security events without compromising productivity. UEBA is a crucial strategic control in any modern environment, and we are here to guide you through this essential journey with our state-of-the-art solution.

InsiderSecurity recognised as one of Singapore’s Fastest Growing Companies by The Straits Times

Singapore, 21 Feb 2025 – InsiderSecurity has been recognised as one of Singapore’s Fastest Growing Companies in 2025 by The Straits Times and Statista. This milestone underscores InsiderSecurity’s commitment to innovation and growth in Asia’s cybersecurity landscape.
Read our full story in The Straits Times

Driving Growth with Cutting-Edge Cybersecurity Solutions

Founded and headquartered in Singapore, InsiderSecurity is an award-winning cybersecurity software company with a mission to simplify cybersecurity across Asia. The company’s cutting-edge solutions, including CSX, Database Activity Monitor (DAM), and Smart Log Review, are trusted by government agencies, critical information infrastructure (CII) providers, and major enterprises.

InsiderSecurity’s engineering team, deeply rooted in the ASEAN region, ensures that its solutions are not only technologically advanced but also tailored to address the challenges faced by organisations in this fast-evolving digital economy.

Pioneering Achievements

InsiderSecurity stands out as the first cybersecurity software company in ASEAN to achieve CSA STAR Level 2 certification, the global standard in cloud security, together with ISO 27001 accreditation for information security management.

Additionally, the company was the first to be accredited by Singapore’s Infocomm Media Development Authority (IMDA) in the key cybersecurity area of User and Entity Behavior Analytics (UEBA), highlighting its expertise in stopping sophisticated threats.

This forward-thinking approach has earned InsiderSecurity industry-wide recognition, solidifying its reputation as a leader in cybersecurity innovation.

Expanding into ASEAN Markets

With offices in Singapore and Malaysia, InsiderSecurity is poised to expand its reach across Asia. The region’s rapid digitalisation and increasing focus on cybersecurity present significant growth opportunities. By leveraging its expertise, InsiderSecurity aims to become a key cybersecurity software partner for organisations navigating complex regulatory environments and emerging cyber threats.

Recognition as a Fast-Growing Company

Being named one of Singapore’s Fastest Growing Companies for 2025 reflects InsiderSecurity’s exceptional trajectory of growth and its ability to deliver value to clients. This recognition reinforces the company’s leadership position in Asia’s cybersecurity landscape.

Looking Ahead

InsiderSecurity’s mission is to provide technology that simplifies cybersecurity in Asia and beyond. With a relentless focus on innovation and a deep understanding of the region’s cybersecurity needs, InsiderSecurity is positioned to help organisations stay secure in a rapidly evolving digital world.

For more information on InsiderSecurity and its solutions, visit www.insidersecurity.co.


About Singapore’s Fastest Growing Companies

The Straits Times and Statista annually recognise the fastest-growing companies in Singapore. The ranking serves as a benchmark for innovation and excellence in business.

About InsiderSecurity

InsiderSecurity is an award-winning cybersecurity software company based in Singapore and Malaysia. It is the first in ASEAN to achieve CSA STAR Level 2 certification and ISO 27001 accreditation and is a pioneer in User and Entity Behavior Analytics (UEBA) accredited by Singapore’s IMDA. Its innovative solutions are trusted by government agencies, critical infrastructure, and leading enterprises.

CapitalOne data breach: How SSRF vulnerability exposed 100 million customer records

Introduction

Although the CapitalOne breach occurred in 2018, the methodologies and lessons learned remain highly relevant today. In 2018, CapitalOne, a US-based bank, suffered a massive data breach where over 100 million customer records stored in a private S3 bucket were compromised. The attack was executed by a former AWS employee who exploited a vulnerability in Capital One’s infrastructure, leveraging insider knowledge and expertise with AWS services.

As a result of this breach, Capital One agreed to pay $80 million to settle federal bank regulators’ claims that it lacked proper cybersecurity protocols, highlighting the severe repercussions of inadequate cloud security measures.

This article delves into the specifics of the data exposure, offering an easy-to-understand guide with illustrative details. We also provide guidelines for detection and prevention to help safeguard against similar cloud security threats.

What happened in the CapitalOne data breach?

  1. Threat actor exploited a SSRF vulnerability in CapitalOne’s WAF to access the AWS metadata service
  2. The Threat actor gotten credential from the metadata service
  3. The threat actor mounted the S3 bucket with the stolen credentials and started accessing data stored in the S3 bucket.

The SSRF allows the threat actor to bounce their web request to any IP of the threat actor’s choosing and SSRF is a well-known vulnerability that is listed on the OWASP’s top 10 web vulnerability. There are at least 4 SSRF vulnerabilities that were patched in Azure cloud services in Jan-2023 alone and threat actor will continue to exploit this vulnerability.

Mapping the attack to MITRE ATT&CK framework

We can map the attacks to the following Tactics, Techniques, and Procedures (TTPs) in MITRE.

What is metadata service?

The AWS metadata service is an essential component for compute instances running in AWS. It provides information about the instance and its environment. This service is accessed through a special IP address (169.254.169.254) and provides various types of metadata such as:

  • Instance ID
  • Security group name
  • Public IP of the instance

Accessing http://169.254.169.254/latest/meta-data from within a virtual machine provides this information. This also works from within a container running in Amazon Elastic Kubernetes Service (EKS).

What sensitive information can be leaked from the AWS metadata service?

If the ‘IAM’ profile is attached to the EC2 instance, accessing the URL http://169.254.169.256/latest/meta-data/iam/security-credentials/ from within the compute instance will reveal a temp access key (Security Token Service – STS). This mechanism provides the developer a way to avoid hard-coding credential into the application. The developer simply has to attach the ‘IAM’ profile to the compute instance, so that the application can request for the temp access key only when needed (Just-In-Time access).

The following is an example of access key which can be gotten from the metadata service when the ‘curl’ is launched from within a EC2 instance with an IAM profile attached.

ubuntu@ip-xxx-xx-xx-x:~$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2_ROLE_NAME

{
"Code" : "Success",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIA5A6XXXXXXXIFH5UQ",
"SecretAccessKey" : "sXXXXXXXXXXkBcJunpyR",
"Token" : "AgoXXX--SNIP--XXXs=",
"Expiration" : "2024-08-04T03:16:50Z"
}

With the access key, the threat actor could simply mount the S3 bucket with the following commands:

> set AWS_ACCESS_KEY_ID=Stolen_Access_Key
> set AWS_SECRET_ACCESS_KEY=Stolen_Secret_key
> set AWS_SESSION_TOKEN=Stolen_Token
> aws s3 ls s3://bucket-name

How to detect?

There are multiple opportunities for detection. Let’s walk through the timeline and determine possible detection strategies. In Stage 3, when the attacker was accessing the S3 bucket, we can detect such activities by:

  1. Detect for file access anomaly to S3
  2. Detecting logins from unusual IP

Summary of detection strategies

Below is a summary table outlining the threats demonstrated by the threat actor on the cloud and corresponding detection strategies.

ThreatsDetection strategiesStage in illustration
Threat actor accessing the S3 bucket with the stolen API keyDetect logins from unusual locations.Detect for spike in data access in S3.3

Staying ahead of cyber threats

In a world where cyber threats like the CapitalOne breach can compromise millions of records, staying ahead of attackers requires cutting-edge solutions. InsiderSecurity empowers businesses with advanced cybersecurity behavior analytics to safeguard both on-premise and cloud infrastructures.

Innovative solutions for cloud security

CSX is designed to detect and respond to sophisticated attacks like those seen in the CapitalOne incident. Here’s how CSX ensures robust security:

  • Unusual Login Detection: CSX triggers alerts for logins from unfamiliar IP addresses
CSX alert identifying login anomalies
Remediation steps for login anomalies
  • Data Access Monitoring: By flagging unusual spikes or irregular access patterns in S3 buckets, CSX prevents unauthorized data exposure.
Detailed view of anomalous S3 bucket activity detected by CSX
Recommendations for mitigating data access anomalies

Actionable Recommendations

What sets InsiderSecurity apart is its ability to provide actionable recommendations immediately after detecting threats. By combining real-time detection with actionable recommendations, InsiderSecurity ensures your team can mitigate threats efficiently and effectively.

InsiderSecurity has been recognised as one of Singapore's Fastest Growing Companies 2025