Global Technology Firm Detects Lumma Stealer SSO Credential Exposure 36 Hours Before Ransomware Deployment

The Context: Why SSO Credentials Have Become the Primary Ransomware Entry Point

The enterprise identity landscape has undergone a structural shift that the infostealer economy recognized before most security programs did. As organizations consolidated authentication around centralized identity platforms, Microsoft Entra ID, Okta, AWS IAM Identity Center, and similar providers, they created a single credential that unlocks not one system but every system connected to that identity provider. A single valid Entra ID session does not grant access to one application. It grants access to every application integrated with Entra ID, which in a typical enterprise means email, cloud infrastructure, internal SaaS tools, VPN, remote management platforms, and collaboration systems simultaneously.

Research published by Flare in February 2026, analyzing 18.7 million infostealer logs from 2025, found that more than one in ten infections already contained enterprise SSO or identity provider credentials. By late 2025, that rate had risen to 16% of infections, and projections placed it at one in five by the third quarter of 2026. Microsoft Entra ID appeared in 79% of enterprise identity logs in the dataset. The acceleration reflects a deliberate targeting shift: infostealer operators, and the Initial Access Brokers who purchase their output, have identified SSO credentials as the highest-value harvest available from any infected device.

For the security team at this organization, that context was not abstract. They had integrated Constella’s infostealer monitoring into their SOC workflow specifically because they recognized that their EDR coverage had a boundary: managed corporate devices. The developer population, which routinely worked across personal and corporate devices and used browser-saved credentials for convenience, sat partially outside that boundary. If a personal device was infected, the EDR would not see it. The only signal would be external, appearing on a criminal marketplace where the harvested log was listed for sale.

The Infection: Lumma Stealer on an Unmanaged Device

The infection vector was consistent with the most common Lumma Stealer distribution pattern in 2025 and 2026: a malicious software crack distributed through a pirated developer tooling repository. The developer, working from a personal laptop while traveling, downloaded what appeared to be a licensed version of a commonly used code analysis tool. The download contained a Lumma Stealer payload embedded alongside the functional software.

Lumma Stealer, the fastest-growing infostealer through 2025 and into 2026, operates with a specific targeting profile. It prioritizes browser-stored session cookies, particularly for SSO providers including Microsoft, Google, Okta, and AWS. It harvests VPN credentials, cryptocurrency wallets, and SSH keys as secondary targets. Its anti-analysis capabilities are sophisticated: on this device, the payload executed, completed data collection, packaged the output into a structured log file, transmitted the log to its command-and-control infrastructure, and deleted itself, all within approximately 40 minutes of execution. The functional software the developer believed they had downloaded launched normally afterward. There was no user-visible indication that anything had occurred.

The harvested log contained:

• An active Microsoft Entra ID session cookie with a remaining validity window of approximately 18 hours, generated during the developer’s most recent authentication to the organization’s cloud environment.
• Saved browser credentials for the organization’s VPN gateway, including the URL, username, and password.
• An Okta session token from the partner access portal, still active.
• Hardware identifiers for the infected device, including the HWID, system locale, and installed software inventory.
• Browsing history and autofill data from Chrome and Firefox profiles on the device.

Within hours of the log’s collection, it was packaged and uploaded to Russian Market, an underground marketplace that specializes in fresh infostealer credential sales and applies a freshness premium to logs collected within the preceding 24 to 48 hours. The listing price reflected the Entra ID session cookie: enterprise SSO credentials with confirmed active sessions command significantly higher prices than standard credential pairs. The log was purchased by an Initial Access Broker within hours of listing.

The Detection Gap This Attack Was Designed to Exploit

The organization’s security architecture was mature by the standards of its peer group. Enterprise-wide EDR coverage on all corporate devices. Phishing-resistant MFA on all remote access. SIEM-based anomaly detection with dedicated SOC analyst coverage. A quarterly vulnerability management program. A threat intelligence subscription providing IOC feeds and dark web keyword monitoring.

None of these controls had visibility into what had happened. The infection occurred on a personal device outside the EDR policy boundary. The Lumma Stealer payload self-deleted before any behavioral detection could fire. The session cookie was valid, meaning no anomalous authentication event had occurred yet. The SIEM had no log of the infection, the harvest, or the marketplace listing. The threat intelligence keyword monitoring was domain-based, not log-based, and the log had not yet been used to attempt authentication against the organization’s systems.

The attack was structurally invisible to every internal detection control the organization operated. The only place where it was visible was external, on the criminal marketplace where the log was listed, and in the infostealer package feed where Constella’s monitoring operates continuously.

The Solution: Continuous Infostealer Package Monitoring

Constella’s monitoring operates against the organization’s corporate domains and identity population continuously across breach repositories, paste sites, dark web forums, and, critically, infostealer package feeds. When a newly ingested infostealer package contains credentials, session cookies, or device identifiers associated with a monitored domain, Constella generates an alert with the full package context: the specific URLs and applications with active sessions captured, the malware strain responsible, the infected device’s hardware metadata, and the recency of the log.

Approximately nine hours after the developer’s personal device was infected, Constella’s monitoring flagged the organization’s Entra ID domain in a newly ingested Lumma Stealer package. The alert reached the SOC analyst on duty within minutes of ingestion. The alert payload included:

• Session data: Active Entra ID session cookie for the organization’s tenant, with the specific authentication domain and estimated remaining session validity.
• VPN credentials: Username and plaintext password for the organization’s VPN gateway URL.
• Okta session: Active partner portal session token.
• Malware attribution: Lumma Stealer variant, version signature consistent with the distribution wave active in that period.
• Device metadata: HWID, system locale confirming a non-corporate-inventory device, and software profile.
• Marketplace context: Log listed on Russian Market within the preceding six hours, purchase activity detected.

The alert was high-confidence, current, and operationally complete. The analyst did not need to investigate whether the alert was real. Every field confirmed it was. The question was how fast the team could execute remediation before the IAB’s purchased access was deployed.

The Response: 90 Minutes from Alert to Full Remediation

The SOC escalated to the identity security team immediately. Remediation executed in parallel across four tracks:

• Session invalidation: The Entra ID session associated with the developer’s account was revoked across all connected applications. The Okta session was terminated simultaneously. This closed the MFA bypass window: the IAB could not replay the stolen session cookies against a revoked session.
• Credential rotation: The developer’s VPN credentials were reset and the account locked pending re-enrollment. The VPN gateway URL from the Constella alert was confirmed as an active organization endpoint, and the specific credential pair was invalidated at the gateway level before any authentication attempt could succeed.
• Developer notification and device triage: The developer was contacted and guided through a personal device wipe and OS reinstall procedure. The device was confirmed as personal and outside corporate MDM, so remote wipe was not available, but the developer completed the reinstall within the incident window.
• Scope assessment via Hunter: The SOC used Constella’s Hunter platform to pivot from the specific log to the broader Lumma Stealer campaign, confirming that no other organizational identities appeared in packages from the same distribution wave. The scope was confirmed as a single device, single identity compromise.

Total time from Constella alert to confirmed full remediation: 88 minutes.