The threat actor is ready for their big canada telegram data move—they might have gotten in the bank’s front door after hours, but they still need a way into the vault.
In the case of laterally moving toward SaaS data, they have a few powerful options. They can send internal spear phishing messages to trick administrators into giving them higher privileges—even temporary ones—to perform a specific task. They might even reconfigure an existing service account to assign access privileges to one or more SaaS apps under your SSO umbrella.
Either way, getting into the systems you use to manage identity and credentials on-premises is more than enough for the last phase of their attack.
Access your SaaS data!
With identity and credentials in hand, the threat actor has everything they need—not just to access a single SaaS platform, but everything you’ve conveniently tied together with SSO. The convenience you established for your IT and DevOps team this is a classic example also becomes convenience for the threat actor.
What lateral movement angles should you be most aware of?
In the roadmap above, we mentioned agb directory two types of accounts often found on on-premises identity and access solutions like AD, which create significant risk to your SaaS data.
