Alert - AL26-010 – Cyber Criminals Social‑Engineering‑Enabled Compromise of Enterprise SaaS Environments

Number: AL26-010
Date: May 1, 2026

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Summary

The Cyber Centre is aware of ongoing malicious cyber activity attributed to the financially motivated threat actors. Since mid‑2025, this activity has demonstrated a marked shift toward social‑engineering‑driven initial access, targeting enterprise identity services and software‑as‑a‑service (SaaS) platforms.

Rather than exploiting software vulnerabilities, these campaigns rely on voice phishing (vishing), brand impersonation, credential harvesting, and abuse of help‑desk processes to compromise user identities and gain access to cloud‑hosted data and services. Once access is achieved, actors focus on data exfiltration and extortion, often without deploying malware, complicating detection and response efforts.

Technical Details

Initial Access

Recent campaigns reveal that these actors gain initial access through direct interaction with targeted employees and support personnel. Common techniques include:

Voice phishing (vishing) and social engineering:

Threat actors impersonate internal IT staff, identity providers, or trusted vendors, contacting employees by phone and claiming urgent account or Multi-factor Authentication (MFA) changes are required. Victims are instructed to authenticate to attacker-controlled portals.

Signs Vishing was used:

  • User reports of unsolicited IT support calls involving platform troubleshooting.
  • OAuth token created at a time aligned with a suspicious or unverifiable call.
  • A new connected app appears in audit logs with vague names such as “Support Tool” or “Data Loader.”
  • User session history shows an OAuth authorization the user does not recognize.
  • Immediate token use from foreign IPs, Virtual Private Network (VPN) endpoints, or TOR nodes seconds to minutes after creation.
  • Identity verification logs show no MFA challenge because authorization bypassed

Credential harvesting and MFA interception:

Victim branded phishing pages are used to capture Single Sign-On (SSO) credentials and one time MFA codes. In several campaigns, adversary in the middle (AiTM) frameworks capture valid sessions in real time.

Signs this vector was used:

  • SSO logs show session creation without a corresponding interactive MFA challenge.
  • Concurrent sessions for the same user from different IPs or regions within minutes.
  • Email or web proxy alerts indicate visits to brand‑impersonation domains.
  • Unusual user agents or proxy headers observed in authentication events.

Domain and subdomain impersonation:

Actors increasingly use impersonated subdomains (for example, <organization>sso[.]com) rather than newly registered look alike domains, enabling lures to bypass basic domain reputation and “newly registered domain” controls.

Signs this vector was used:

  • DNS or proxy logs show access to look‑alike domains or impersonated subdomains resembling corporate or SSO portals.
  • Email security tools flag messages with links to these domains or domain display mismatches.
  • SIEM alerts for newly observed domains closely matching corporate domains.
  • Authentication attempts with referral URLs tied to impersonated sites.

Abuse of help‑desk and recovery workflows:

In several recent incidents, actors successfully convince support staff to reset MFA or enroll attacker-controlled devices, resulting in persistent authenticated access. These techniques exploit human trust and identity processes, not technical vulnerabilities in SaaS platforms.

Signs this vector was used:

  • MFA resets, recovery changes, or device enrollments approved without enhanced verification or outside normal procedures.
  • Support tickets or call logs show identity validation gaps or policy deviations.
  • Sudden addition of new authentication devices or methods to privileged accounts.
  • Admin audit logs show identity changes initiated from unusual locations or times.

Supply chain compromise (SaaS‑to‑SaaS “golden token” theft):

Threat actors breach a third‑party vendor and steal OAuth refresh tokens that customers previously authorized for that vendor’s connected application. Stolen refresh tokens are used to mint valid session tokens that bypass MFA and appear indistinguishable from normal integration activity.

Signs this vector was used:

  • The primary sign is a mismatch between the origin of the API call and the vendor's known infrastructure.
  • API activity originating from IP ranges or ASNs not associated to the vendor
  • Sightings of unauthorized repo access, CI/CD compromise, or credential leaks at the vendor, often reported publicly before customers detect abuse.
  • Unexpected elevation of capabilities by an integration that normally performs limited, predictable tasks.
  • A sudden surge in bulk API 2.0 or Rest API queries targeting high‑value objects like Account, Contact, Lead, or Case.
  • The application suddenly performs "select *" queries on entire database tables it rarely touched before.

Post‑Compromise Activity

After obtaining valid credentials or authenticated sessions, the actors typically:

Pivot laterally across SaaS applications using a single SSO identity to access email, document repositories, CRM systems, HR platforms, and analytics tools.

Exfiltrate large volumes of sensitive data using legitimate application programming interfaces (APIs) and export functions, blending malicious activity with normal user behaviour.

Exploit trusted third‑party SaaS integrations, including stored authentication tokens, to access downstream systems without triggering endpoint‑based security controls.

Conduct aggressive extortion operations, threatening public disclosure or sale of stolen data on leak sites or underground forums if ransom demands are not met.

Malware is not typically deployed, limiting the effectiveness of traditional endpoint‑centric detection approaches.

Suggested actions

The Cyber Centre recommends organizations implement the following mitigations to reduce the risk associated with this activity:

Identity and Access Controls

Deploy phishing‑resistant MFA (for example, FIDO2 security keys or passkeys), particularly for administrators and users with access to sensitive SaaS data.

Restrict and closely monitor MFA reset, recovery, and device re‑enrolment processes, requiring enhanced verification and approval.

User Awareness and Procedures

Train employees and support staff to recognize voice phishing and impersonation tactics, emphasizing that legitimate IT staff should not request MFA codes or passwords.

Implement out‑of‑band verification procedures for identity‑related requests received by phone or messaging platforms.

Implement Dedicated Administrative Workstations (DAWs) for all privileged access using hardened, isolated devices with MFA that are restricted from internet browsing and email, in line with CCCS guidance (ITSP.60.100).

SaaS and Cloud Security

Monitor identity provider and SaaS logs for anomalous sign‑ins, unusual API activity, and high‑volume data exports.

Review and minimize third‑party SaaS integrations, rotating credentials and revoking unused tokens.

Enforce conditional access policies using device posture, location, and risk scoring.

Incident Preparedness

Ensure sufficient log retention to support investigation of identity compromise and SaaS data theft incidents.

Develop and test response playbooks for data extortion scenarios, including legal, communications, and stakeholder notification considerations

References

Date modified: