The NSA published Detecting Abuse of Authentication Mechanisms which discusses how malicious cyber actors are abusing trust in federated authentication environments to access protected data. The exploitation occurs after the actors have gained initial access to a victim's on-premises network. The actors leverage privileged access in the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources. The actors demonstrate two sets of tactics, techniques, and procedures (TTP) for gaining access to the victimnetwork's cloud resources, often with a particular focus on organizational email.
Might be also good to add to that that NSA released this in response to the SolarWinds events and following breaches.
Thanks for sharing Michael!
Thanks Michael, this is a good read.