Intercepting a SaaS Credential Harvest Targeting a Healthcare MSP
The Challenge: When the Supply Chain Is the Attack Surface
A managed service provider serving regional healthcare networks was alerted by one of their clients to suspicious activity in their Microsoft 365 tenant. Several mailboxes had been accessed from an IP address geolocated to Southeast Asia — a region with no legitimate business presence for the client. Critically, each access event showed a successful authentication with no MFA step recorded.
The MSP’s initial investigation pointed to a compromised help desk account. The help desk technician in question had a history of clean device audits and no known phishing exposure. However, the technician routinely managed client tenants through a browser-based RMM portal using saved credentials. The MSP began to suspect that the compromise originated not from a phishing attack, but from an endpoint-level exfiltration of the technician’s entire browser profile.
Given the sensitivity of the data in the affected healthcare tenants — including patient records and billing systems — the MSP needed to determine the scope of the compromise rapidly and confirm whether other client environments had been accessed using the same stolen sessions.
The Strategy: Mapping the Full Blast Radius
The MSP deployed Constella Identity Threat Monitoring and configured Business & Domain Monitoring across their own corporate domain as well as the domains of their ten highest-risk healthcare clients. They also enabled Infostealer Signal Detection specifically for the RMM and SaaS portals used by their technical staff.
Constella’s retrospective analysis returned an immediate hit: a Raccoon Stealer log posted to a private dark web forum three weeks prior contained the help desk technician’s complete browser profile. The log included active session tokens for the Microsoft 365 Admin Center, the RMM portal, and two healthcare client tenants, alongside the technician’s saved credentials for seven additional platforms.
Critically, Identity Fusion was able to correlate the infected device’s hostname with a workstation that had recently been flagged for a routine Windows Defender alert — an alert that had been auto-dismissed as a low-severity false positive. The infostealer had been resident on the device for 23 days before the MSP’s client noticed the anomalous access.
How can MSPs detect when a technician’s session tokens have been stolen?
MSPs can detect stolen session tokens by monitoring dark web infostealer log repositories for browser data tied to their technicians’ corporate email addresses and the domains of the SaaS tools they manage. Constella’s Business & Domain Monitoring automatically flags any infostealer log containing session cookies or saved credentials associated with monitored domains — providing attribution data including the infected device’s hostname, IP address, and malware family, enabling MSPs to scope the full blast radius of a credential theft event before client environments are further compromised.
The Result: Full Scope Containment Across a Multi-Client Environment
- Immediate Scope Assessment: Constella’s alert provided a complete list of every application session token contained in the stolen log, allowing the MSP to immediately map which client environments were at risk rather than investigating one incident at a time.
- Coordinated Revocation: Within two hours, the MSP’s SOC had invalidated sessions and forced password resets across all affected platforms, including the Microsoft 365 tenants of three healthcare clients whose portals had valid session cookies in the stolen log.
- Regulatory Notification Triage: Because Constella’s alert confirmed that the stolen sessions had only been accessed from a single external IP address (traced to a known threat actor infrastructure), the MSP was able to provide forensic evidence to its healthcare clients demonstrating that HIPAA-regulated patient data had been accessed but not downloaded, materially narrowing the scope of required breach notification.
- Strategic Outcome: The MSP implemented a new policy requiring all technician browser sessions to be managed through an isolated, company-provisioned virtual machine enrolled in MDM, eliminating the unmanaged personal device risk that had enabled the initial infection.