From obsidiansecurity.com
The kill chain for a SaaS identity compromise will involve several distinct stages that can be mapped to MITRE ATT&CK:
- Reconnaissance: The attacker gathers information about the target organization and its employees (T1589). This might involve techniques like obtaining IT Administrator names from LinkedIn (T1589.003) or exploiting publicly available data breaches to obtain credentials (T1589)
- Initial Access: Phishing emails with malicious links (T1598.003) remain a prevalent tactic. These links can steal login credentials or trick users into granting access to attacker-controlled resources, specifically via Adversary-in-the-Middle attacks (T1557) to intercept user’s session cookies (T1539). Attackers can also leverage built-in self-service password reset functionality to reset the target’s password to gain access to an account.