Full Report
Nation-state threat actors targeting Commvault applications hosted in Microsoft Azure may be part of a broader campaign targeting Software-as-a-Service (SaaS) applications, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned in an advisory this week. The May 22 CISA advisory builds on a Commvault warning earlier this month that nation-state threat actors were exploiting CVE-2025-3928 to target Commvault applications hosted in their Microsoft Azure cloud environment in an attempt to access customer Microsoft 365 (M365) environments. CISA’s new advisory says the agency believes the Commvault M365 threat “may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions.” CISA offered no specifics on other SaaS apps that may be targeted, but CISA and Commvault both offered guidance for protecting Commvault and M365 environments, some of which could be applicable to other SaaS apps. Commvault M365 Threat Campaign Detailed According to CISA, threat actors may have accessed client secrets for Commvault’s Metallic Microsoft 365 backup SaaS solution hosted in Azure. “This provided the threat actors with unauthorized access to Commvault’s customers’ M365 environments that have application secrets stored by Commvault,” the advisory said. Commvault’s May 4 update on the incident said the nation-state threat actor “may have accessed a subset of app credentials that certain Commvault customers use to authenticate their M365 environments.” Commvault responded with several remedial actions, including rotating credentials and issuing customer recommendations. Commvault also provided guidance for M365, Dynamics 365 and EntraID backups configured with additional single-tenant app registrations. Commvault listed known IP addresses associated with the malicious activity for clients to block. Those IP addresses include: 69.148.100 92.80.210 153.42.129 6.189.53 223.17.243 242.42.20 Guidance for Protecting Commvault and M365 CISA recommended that organizations apply patches and updates and follow detailed mitigation guidance and best practices, which include: Monitor Entra audit logs for unauthorized modifications or new credentials to service principals initiated by Commvault applications and service principals, and handle deviations from regular login schedules as suspicious Review Microsoft Entra audit, Entra sign-in, and unified audit logs and conduct internal threat hunting For single tenant apps, implement a conditional access policy that limits authentication of an application service principal to an approved IP address listed within Commvault’s allowlisted range of IP addresses (conditional access policies require a Microsoft Entra Workload ID Premium License) Customers who can should establish a policy to regularly rotate credentials at least every 30 days Review the list of Application Registrations and Service Principals in Entra with administrative consent for higher privileges than needed Implement M365 security recommendations outlined in CISA’s Secure Cloud Business Applications (SCuBA) project Where possible, limit access to Commvault management interfaces to trusted networks and administrative systems Detect and block path-traversal attempts and suspicious file uploads by deploying a Web Application Firewall and removing external access to Commvault applications Monitor activity from unexpected directories, especially web-accessible paths.
Analysis Summary
# Incident Report: Commvault Integration Threat Targeting M365 Environment
## Executive Summary
This incident involves a potential nation-state-linked campaign exploiting the integration between Commvault software and Microsoft 365 environments. The primary concern revolves around unauthorized access or modifications stemming from service principals associated with Commvault applications. CISA has issued guidance to organizations to enhance monitoring and implement strong access controls around these integration points to prevent potential compromise of M365 data and infrastructure.
## Incident Details
- Discovery Date: Not explicitly stated (Guidance issued based on ongoing threat assessment)
- Incident Date: Not explicitly stated (Refers to an ongoing campaign context)
- Affected Organization: Commvault customers utilizing Microsoft 365 integration (Implied scope)
- Sector: Technology/SaaS Integration (Affects organizations using the software across sectors)
- Geography: Global (Implied, based on CISA advisory nature)
## Timeline of Events
### Initial Access
- Date/Time: Not specified. The threat vector targets the configuration or use of Commvault service principals within M365.
- Vector: Exploitation/Misconfiguration related to Commvault service principals within the Microsoft Entra ID environment.
- Details: Access is gained or leveraged via existing, potentially overly-permissive, application registrations or service principals used by Commvault to interact with M365.
### Lateral Movement
- Details: Attackers monitor Entra audit logs for unauthorized modifications or creation of new credentials for service principals related to Commvault applications. This suggests an attempt to maintain or pivot access using established integration pathways.
### Data Exfiltration/Impact
- Details: The impact centers on unauthorized actions within the M365 ecosystem, potentially leading to unauthorized viewing, modification, or exfiltration of cloud data managed or accessed by the compromised integration.
### Detection & Response
- Date/Time: CISA issued guidance following the identification of this threat pattern.
- Response actions taken: CISA recommended detailed monitoring, patching, applying conditional access policies, and credential rotation (detailed in Response Actions section).
## Attack Methodology
- Initial Access: Leveraging Commvault service principals/Application Registrations within Microsoft Entra ID.
- Persistence: Attackers monitor for deviations from regular login schedules for service principals and may attempt to create/modify credentials.
- Privilege Escalation: Not explicitly detailed, but implies use of existing administrative consent or high privileges granted to the service principal.
- Defense Evasion: Monitoring logs for unauthorized modifications suggests a need to evade detection of persistence mechanisms.
- Credential Access: Potential focus on gaining administrative consent or manipulating credentials associated with the Commvault service principal.
- Discovery: Not specified, but monitoring audit logs is a key step taken by defenders/attackers.
- Lateral Movement: Within the M365 tenant, specifically observing and utilizing service principal access.
- Collection: Likely involves accessing M365 data sources through the compromised application permissions.
- Exfiltration: Not specified, but the ultimate goal of gaining SaaS cloud access often includes data exfiltration.
- Impact: Unauthorized actions within M365, risk to cloud data integrity and confidentiality.
## Impact Assessment
- Financial: Not specified, but costs associated with breach investigation and remediation are implied.
- Data Breach: Potential exposure or compromise of data housed within the integrated M365 environment.
- Operational: Potential disruption to cloud services relying on the compromised integration.
- Reputational: Damage due to a nation-state linked breach involving critical third-party integration software.
## Indicators of Compromise
- Network indicators: Commvault IP ranges; defenders should block external access to Commvault management interfaces unless it matches allow-listed ranges.
- File indicators: Not provided.
- Behavioral indicators: Unauthorized modifications or new credentials created on service principals initiated by Commvault applications; deviations from regular login schedules for service principals.
## Response Actions
- Containment measures: Limit access to Commvault management interfaces to trusted networks and administrative systems. Deploy a Web Application Firewall (WAF) to detect and block path-traversal attempts and suspicious file uploads against Commvault applications.
- Eradication steps: Regular credential rotation (at least every 30 days) for associated service principals. Review and revoke excessive administrative consent for Application Registrations and Service Principals in Entra.
- Recovery actions: Implement CISA SCuBA M365 security recommendations.
## Lessons Learned
- Key takeaways: Third-party integrations (like Commvault) utilizing service principals introduce significant risk to the M365 tenant if permissions are not strictly governed.
- What could have been done better: Organizations should regularly review and rightsizing the privileges granted to integrated third-party service principals, even if they appear functional.
## Recommendations
- Prevention measures for similar incidents:
1. Implement Conditional Access policies (requires Workload ID Premium License) limiting service principal authentication to approved IP address ranges provided by Commvault.
2. Establish mandatory, regular credential rotation policies (minimum 30 days) for all service principals.
3. Rigorously review and limit the access privileges assigned to all application registrations and service principals in Entra ID to the absolute minimum required scope.
4. Increase monitoring on Entra audit/sign-in logs specifically targeting activity from Commvault-related service principals for anomalies (e.g., unusual login times or locations).
5. Implement WAF to protect Commvault application interfaces.