Report Surfaces Sharp Spike in Malicious Logins from Low-Risk Sources
A report published by Barracuda Networks this week finds there has been a 25% increase in successful malicious logins to the Microsoft 365 platform from countries that are normally deemed to be low-risk sources of cybercriminal activity.
Merium Khalid, director of offensive security for the security operations center (SOC) at Barracuda Networks, said that increase suggests that cybersecurity and IT teams may need to revisit their access policies in addition to taking a deeper look into the log data they collect.
In general, too many cybersecurity and IT teams are relying on policies that are simply too broad, such as allowing logins from countries such as the U.S. or anywhere in Europe while blocking access from, for example, Russia.
It’s not clear to what degree the successful logins being made are a direct result of malicious actors located in a low-risk country that are frequently changing their IP address or cybercriminals who are making use of a virtual private network (VPN) to hide their true location. Regardless of where those malicious actors are located, however, they have been able to gain access using stolen credentials that appear legitimate, said Khalid.
In the meantime, cybersecurity and IT teams, in addition to being more proactive when it comes to investigating any unusual or unexpected behavior, should also make certain that multifactor authentication (MFA) policies are being enforced, she added.
Additionally, cybersecurity and IT teams should quarantine devices automatically when suspected command‑and‑control activity is detected and also make sure access to PowerShell scripting tools are only given to end users that genuinely need to use them, said Khalid.
Barracuda Networks also noted that organizations should review what artificial intelligence (AI) tools have been installed by end users. There has been a notable increase in cybercriminal activity that starts with a lure to download an instance of Claude Code from what turns out to be a fake website. Instead of installing legitimate software, the fake website triggered a multi‑stage malware attack. Adding insult to injury, it turned out the software was difficult to remove because the installer also created fake certificates to thwart detection efforts.
While this type of attack is hardly new, it serves as a reminder of the need to create and enforce policies that only allow end users to download software from verified sources, noted Khalid.
While there is no shortage of methods that can be employed by cybercriminals, the Barracuda Networks report makes it clear that adversaries continue to rely on proven techniques that rely heavily on stolen credentials. Once access is gained, spreading malware throughout an IT environment becomes relatively trivial.
Hopefully, there will come a day when low-level threats can be detected and thwarted, but for now the price of security remains eternal vigilance. Cybersecurity and IT teams need to continuously monitor logins to not only thwart attacks, but also limit the potential radius of an inevitable breach. The challenge, as always, is that the number of attacks being made continues to increase at a rate that is overwhelming an organization’s ability to defend itself.
