Microsoft Global SaaS account leveraged in SharePoint Online ransomware attack

Microsoft SharePoint Online has been impacted by a ransomware attack by the Omega threat operation that leveraged a compromised Microsoft Global SaaS admin account rather than a compromised endpoint, reports SecurityWeek. Infiltration of SharePoint Online was followed by the creation of a new Active Directory with escalated privileges, with Omega removing more than 200 existing administrators within two hours before proceeding with the theft of hundreds of files, according to a report from Obsidian. However, file exfiltration was followed by thousands of PREVENT-LEAKAGE.txt file uploads rather than file encryption. "We expect this trend to grow. The attacker invested the time to build automation for this attack, which implies a desire to use this capability in the future. We also suspect it will grow because there are few companies with a strong SaaS security program, whereas many companies are well invested in endpoint security products," said researchers, who also noted the importance of multi-factor authentication in preventing such intrusions.