TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

CCCS Canada Alerts

AL26-010 – Cyber Criminals Social‑Engineering‑Enabled Compromise of Enterprise SaaS Environments

Canadian Centre for Cyber Security · 6 days ago · Read original ↗

ATT&CK techniques detected

17 predictions
T1528Steal Application Access Token
73%
"’ s connected application. stolen refresh tokens are used to mint valid session tokens that bypass mfa and appear indistinguishable from normal integration activity. signs this vector was used : - the primary sign is a mismatch between the origin of the api call and the vendor ' …"
T1111Multi-Factor Authentication Interception
71%
"tor nodes seconds to minutes after creation. - identity verification logs show no mfa challenge because authorization bypassed credential harvesting and mfa interception : victim branded phishing pages are used to capture single sign - on ( sso ) credentials and one time mfa code…"
T1621Multi-Factor Authentication Request Generation
57%
"platforms, and analytics tools. exfiltrate large volumes of sensitive data using legitimate application programming interfaces ( apis ) and export functions, blending malicious activity with normal user behaviour. exploit trusted third ‑ party saas integrations, including stored …"
T1528Steal Application Access Token
57%
"access is achieved, actors focus on data exfiltration and extortion, often without deploying malware, complicating detection and response efforts. technical details initial access recent campaigns reveal that these actors gain initial access through direct interaction with target…"
T1556.006Multi-Factor Authentication
56%
"platforms, and analytics tools. exfiltrate large volumes of sensitive data using legitimate application programming interfaces ( apis ) and export functions, blending malicious activity with normal user behaviour. exploit trusted third ‑ party saas integrations, including stored …"
T1550.001Application Access Token
50%
"’ s connected application. stolen refresh tokens are used to mint valid session tokens that bypass mfa and appear indistinguishable from normal integration activity. signs this vector was used : - the primary sign is a mismatch between the origin of the api call and the vendor ' …"
T1078.004Cloud Accounts
49%
"access is achieved, actors focus on data exfiltration and extortion, often without deploying malware, complicating detection and response efforts. technical details initial access recent campaigns reveal that these actors gain initial access through direct interaction with target…"
T1528Steal Application Access Token
48%
"or sso portals. - email security tools flag messages with links to these domains or domain display mismatches. - siem alerts for newly observed domains closely matching corporate domains. - authentication attempts with referral urls tied to impersonated sites. abuse of help ‑ des…"
T1671Cloud Application Integration
45%
"’ s connected application. stolen refresh tokens are used to mint valid session tokens that bypass mfa and appear indistinguishable from normal integration activity. signs this vector was used : - the primary sign is a mismatch between the origin of the api call and the vendor ' …"
T1598.004Spearphishing Voice
44%
"al26 - 010 – cyber criminals social ‑ engineering ‑ enabled compromise of enterprise saas environments number : al26 - 010 date : may 1, 2026 audience this alert is intended for it professionals and managers. purpose an alert is used to raise awareness of a recently identified cy…"
T1550.001Application Access Token
41%
"or sso portals. - email security tools flag messages with links to these domains or domain display mismatches. - siem alerts for newly observed domains closely matching corporate domains. - authentication attempts with referral urls tied to impersonated sites. abuse of help ‑ des…"
T1556.006Multi-Factor Authentication
39%
"should not request mfa codes or passwords. implement out ‑ of ‑ band verification procedures for identity ‑ related requests received by phone or messaging platforms. implement dedicated administrative workstations ( daws ) for all privileged access using hardened, isolated devic…"
T1556.006Multi-Factor Authentication
38%
"tor nodes seconds to minutes after creation. - identity verification logs show no mfa challenge because authorization bypassed credential harvesting and mfa interception : victim branded phishing pages are used to capture single sign - on ( sso ) credentials and one time mfa code…"
T1621Multi-Factor Authentication Request Generation
38%
"tor nodes seconds to minutes after creation. - identity verification logs show no mfa challenge because authorization bypassed credential harvesting and mfa interception : victim branded phishing pages are used to capture single sign - on ( sso ) credentials and one time mfa code…"
T1550.001Application Access Token
37%
"access is achieved, actors focus on data exfiltration and extortion, often without deploying malware, complicating detection and response efforts. technical details initial access recent campaigns reveal that these actors gain initial access through direct interaction with target…"
T1557Adversary-in-the-Middle
33%
"tor nodes seconds to minutes after creation. - identity verification logs show no mfa challenge because authorization bypassed credential harvesting and mfa interception : victim branded phishing pages are used to capture single sign - on ( sso ) credentials and one time mfa code…"
T1621Multi-Factor Authentication Request Generation
32%
"should not request mfa codes or passwords. implement out ‑ of ‑ band verification procedures for identity ‑ related requests received by phone or messaging platforms. implement dedicated administrative workstations ( daws ) for all privileged access using hardened, isolated devic…"