Have you ever wondered how hackers silently penetrate multiple accounts within your organization without triggering alarms? Because of the growing adoption of SaaS platforms like Microsoft 365, cybercriminals are finding new ways to launch persistent, multi-account hijacking attacks. Because, traditional security measures, including Multi-Factor Authentication (MFA) and zero-trust frameworks, often fall short in detecting these sophisticated threats.
In this blog, we’ll analyze a real cyberattack on a European real estate company where attackers hijacked multiple Microsoft 365 accounts. Moreover, we’ll explore how AI-powered cybersecurity tools detect and neutralize the threat, preventing further damage.
How Multi-Account Hijacking Threatens SaaS Security
SaaS-based attacks take advantage of the limited visibility and control that many IT teams have when it comes to securing cloud environments. Unlike traditional software, SaaS security is largely managed by third-party vendors, leaving security teams with limited control. In this event, attackers take advantage of these gaps to compromise multiple user accounts, enabling them to:
- Launch phishing campaigns from trusted internal emails.
- Maintain persistence using alternative accounts.
- Bypass traditional security tools by “living off the land.”
- Exploit cloud applications like Microsoft Teams for social engineering.
So, by using multiple accounts on the same domain, hackers can spread their attacks over time, making detection more challenging. This is exactly what happened in our case study.
Microsoft 365 Accounts Hijack Attack
The organization with 5,000 devices along with 1,000 active SaaS accounts, faced the assault. The entire hacker operation spanned three separate days through which compromised Microsoft 365 accounts provided the intruder further penetration possibilities.
1. Initial Breach
The perpetrator obtained access to user accounts named Account A and Account B, which belonged to Microsoft 365. In this event, thieves obtained the Microsoft 365 login information through phishing activities and from illegal online marketplaces on the dark web. After entering, they hid their position through a virtual private network from an unexpected region to log into the system. Then the AI of Darktrace identified the login activities as unusual behavior due to its detection of abnormal actions.
Account A contained passwords that allowed the attacker to see files with customer data while staying idle during the rest of the breach. An attacker in Account B created a new inbox rule that generated an alert with high-security severity. After three hours had passed, they conducted their phishing campaign by sending emails that appeared to be OneDrive file shares.
Firstly, the fake Microsoft login page in the phishing emails attempted to deceive users into giving away their additional login credentials. Antigena Email at that time detected an abnormal email volume but this situation required a passive mode which prevented email blocking. Meanwhile, security team outlined the attack when Account B received a lockout. Then the hacker conducted a failed attempt to bypass MFA through legacy authentication which Darktrace prevented.
2. Expanding the Attack
However, on the second day, the attacker shifted their approach by accessing Account C which turned out to be a recipient of the Account B phishing email.
By using this newly hijacked account, they continued their attack:
- The files were previewed to access more contact information.
- The mail system received new rules that prevented suspicious events from appearing.
- The hackers from different locations made numerous failed unauthorized access attempts.
Furthermore, the attacker used their Account C breach as an entry to break into two additional accounts called Account D and Account E. Additionally, unusual login activities and unauthorized inbox changes during login attempts generated alerts to the system administrators.
3. Desperate Attempts and Final Lockout
After accounting for most blocked detections, the attacker returned to Account A because it had attracted minimal attention from their network security systems. Then they implemented another inbox rule to distribute phishing emails based on Tresorit as their unauthorized non-Microsoft cloud storage service.
In this event, the attacker’s system generated an irregular access attempt into Microsoft Teams which Darktrace security systems identified. The evidence indicated that attacker tried to perform social engineering attacks either through chat messaging or manipulation to extract sensitive data from employees.
Moreover, AI-driven online security systems identified all anomalies and triggered alerts for the security personnel by this point. Finally, the attacker made their last attempt at logging the following day, after which they completely failed.
Analyzing the Attack Tactics
The hacker employed multiple techniques to evade detection:
- Using multiple accounts: Instead of relying on a single compromised account, they spread their activities across several accounts to stay under the radar.
- Leveraging SaaS tools: They used Microsoft 365 services like OneDrive and Teams, blending in with normal employee activity.
- Employing multiple VPNs: The attack originated from at least three different geographical locations additionally, using VPNs to mask their true identity.
- Attempting MFA bypass: After losing access to compromised accounts, they tried to use outdated authentication methods to regain control.
- Utilizing social engineering: Logging into Microsoft Teams suggested a pivot toward phishing via chat-based messages.
How AI Stopped the Attack in Real-Time
Traditional security tools struggle to track multi-account hijacking because they rely on static rules and known threat signatures. In this event, AI-powered security solutions played a crucial role in detecting and stopping the attack:
- Firstly, Darktrace AI flagged unusual login locations, inbox rule modifications, and account takeovers.
- Then, Cyber AI Analysts automatically connected scattered security events into a meaningful investigation.
- Finally, Antigena SaaS (when activated) could have autonomously blocked the attack by enforcing normal user behavior, preventing unauthorized logins and suspicious actions.
So, without AI-driven security, the attacker could have remained undetected for much longer, possibly exfiltrating sensitive data.
Final Thoughts
SaaS-based attacks occur with increasing frequency while cybercriminals are developing multi-account hijacking as a preferred tactic. The inadequacy of traditional security methods becomes outweighed by AI-based tools which deliver real-time threat identification that confronts current advanced security risks.
Therefore, AI enables organizations to analyze abnormal activities in their cloud systems thus stopping advancing cyber attacks before they inflict damage while simultaneously protecting their cloud infrastructure from continuously changing security risks. The research case demonstrates cybersecurity involves both prevention measures and fast response capabilities and proactive detection methods.
