Cred theft AA24-057A
Engine-driven compliance rail for Credential theft → MFA fatigue → lateral movement (remote-user SaaS path) on the Financial Services protect-surface layout. Step controls cycle through the engine's Trust-Failure chain; each step shows the in-scope provisions the failure implicates and, where a regulatory clock applies, the obligation diamond.
step 01 / 06
step 01TF2observedATT&CK T1110
stage 2
Adversary obtains password via brute force or password spraying against a remote-user SaaS login surface. AA24-057A: "SVR use password spraying and brute forcing as an initial infection vector."
mitigating controls
idpmfa-authenticatorca-pkikms-secretspam
in-scope provisions (6)
- partial3.A - Change Default Passwords
- partial3.B - Establish Minimum Password Strength
- partial3.F - Implement Multifactor Authentication (Mfa)
- partial3.G - Administrators Maintain Separate User And Privileged Accounts
- partial§314.4(c)(1) Access controls — least-privilege baseline + as-appropriate physical
- partial§314.4(c)(5) Multi-Factor Authentication — universal default + QI compensating-control surface
obligation
no regulatory clock for this step
- 01Initial Accessidentity-svcPhishing-resistant MFA is not enforced for every principal. A high-privilege identity yields its password to a phishing portal; the PE accepts the reused secret.
- 02DiscoverycrmThe compromised identity logs into Salesforce and pivots through field-level data, mapping the customer base and the privileged-user list for the next hop.
- 03Lateral Movementgoogle-workspaceThe same federated identity is replayed against Google Workspace. AA24-057A documents Midnight Blizzard’s SaaS-to-SaaS pivots via OAuth tokens granted under the assumed principal.
- 04Exfiltrationcustomer-piiCustomer PII is exported through legitimate SaaS APIs under the stolen identity — no anomaly fires because the access pattern is a valid-account one (T1078).