attack-path / financial services / m2m-token-replay

M2M token replay AA24-057A

Engine-driven compliance rail for M2M token replay (workload identity exfil + reuse against cloud tenants) on the Financial Services protect-surface layout. Step controls cycle through the engine's Trust-Failure chain; each step shows the in-scope provisions the failure implicates and, where a regulatory clock applies, the obligation diamond.

resolved atFinancial Services · Hybrid SaaS + VPC · Remote user opens a SaaS application
step 01TF1observedATT&CK T1078.004
stage 1

Adversary targets a service / system account or dormant user account on the cloud tenant. AA24-057A: "Service accounts are often highly privileged… there is no human user behind them so they cannot be easily protected with MFA, making these accounts more susceptible to a successful compromise."

mitigating controls
ztna-gateway
in-scope provisions (6)
  • partialID.AM-01 — Asset Managementnist-csf-2-0disc:highpendingEvidence
  • partialID.AM-02 — Asset Managementnist-csf-2-0disc:highpendingEvidence
  • partialID.AM-03 — Asset Managementnist-csf-2-0disc:highpendingEvidence
  • partialID.AM-04 — Asset Managementnist-csf-2-0disc:highpendingEvidence
  • partialID.AM-05 — Asset Managementnist-csf-2-0disc:highpendingEvidence
  • partialID.AM-07 — Asset Managementnist-csf-2-0disc:highpendingEvidence
obligation
no regulatory clock for this step
protect-surface storyline (DAAS cards)
  1. 01
    Initial Access
    identity-svc
    A service-principal secret leaks through a compromised CI run. The IdP accepts the token because it carries valid scopes and is still inside its (over-long) lifetime.
  2. 02
    Persistence
    cloud-infra
    The actor authenticates to the cloud control plane as the service principal. AA24-057A documents long-dwell service-account abuse where the trust algorithm never re-decisions on freshness.
  3. 03
    Collection
    database-systems
    The service principal’s standing read on production databases is exercised. No east-west PEP demands a fresh principal claim, so query traffic flows.
  4. 04
    Exfiltration
    cloud-storage
    Bulk reads land in an attacker-controlled cloud bucket. Egress audit logs catch the volume only retrospectively — an Audit-Failure window the actor counted on.