StaatseSEC.OPS
Contact us
Home/Blog/Monthly report
Monthly reportJan 30, 20269 min read

January 2026 monthly report: identity perimeter under siege

Two years after Snowflake, the credential-theft + SaaS-misconfiguration pattern is the most consistent breach vector we triage. A digest of the real incidents and CVEs that should anchor your January retrospective.

AM
Aarav Mehta
Senior security consultant · Staatse
#monthly-report#identity#saas#mfa#snowflake#midnight-blizzard#okta#cloudflare#credential-theft

The pattern that won't go away

Every January we run a retrospective on what changed in the threat landscape, and every January the answer is the same: identity is still the perimeter, and the perimeter is still leaking. The Snowflake customer compromises of 2024 (UNC5537), the Microsoft Midnight Blizzard breach disclosed in January 2024, and the Cloudflare-via-Okta incident of late 2023 - all three remain instructive now because the same underlying configuration choices are still present in environments we audit today.

165+Snowflake customers in UNC5537 (Mandiant)
68%2024 breaches involved human element (DBIR)
194dAvg detection time (IBM 2024)
$4.88MAvg cloud breach cost (IBM 2024)

Real incidents you should still be studying

Incident Year Root cause What it teaches
Snowflake customer compromises 2024 No MFA enforced on tenant MFA enforcement, not "available"
Microsoft Midnight Blizzard 2023-24 Legacy tenant + OAuth app OAuth app audit cadence
Cloudflare (via Okta) 2023-24 Partial token rotation Post-vendor-incident rotation
Okta HAR file theft 2023 Customer support data exposure Vendor session token hygiene

None of these incidents needed a zero-day. Snowflake credentials were harvested from infostealer logs (some 3+ years old). Midnight Blizzard used a legacy tenant with no MFA. Cloudflare's tokens hadn't been rotated after Okta announced its breach.

The control gap is configuration, not patching.

Active CVE: CVE-2024-7593 - Ivanti vTM

Ivanti's August 2024 advisory disclosed CVE-2024-7593 in Ivanti Virtual Traffic Manager - an authentication bypass in the admin panel allowing remote attackers to create a rogue administrator account. The CVE was added to CISA KEV the same month. We continue to see unpatched Ivanti vTM instances on perimeter scans 18 months later.

The January control audit

1
SaaS MFA enforcement review

For every SaaS tenant (Snowflake, Salesforce, Atlassian, GitHub, Okta, Entra), confirm MFA is enforced, not "available". Confirm there's no SSO bypass for emergency accounts in actual use. This is the single control that would have prevented the Snowflake campaign on every affected tenant.

2
OAuth application audit

Audit every third-party OAuth app granted directory-wide or mailbox-read permissions in Entra ID and Google Workspace. Revoke any unused since the audit baseline. This is the Midnight Blizzard control specifically.

3
Vendor-incident token rotation

For every SaaS vendor that announced a security incident in the past 12 months, confirm complete rotation of API keys, OAuth client secrets, and service-account credentials. Partial rotation is the attacker's foothold (Cloudflare 2023).

4
Legacy tenant inventory

List every M365 / Entra / Google Workspace tenant that's not your production tenant. For each, confirm MFA enforcement and conditional access. The legacy non-prod tenant is the Midnight Blizzard entry point.

Control maturity baseline

MFA enforced (all SaaS)
62%
OAuth app review quarterly
44%
Legacy tenant inventory
31%
Post-vendor rotation playbook
38%
SaaS-to-SaaS detection
22%

If your January roadmap doesn't include an MFA-enforcement audit across every SaaS tenant, the rest of the year's security investments are working uphill. The 2024 incident catalogue is unanimous on this point.

- Staatse monthly digest, Jan 2026
{ chart placeholder · breach root-cause distribution 2024 - identity vs CVE }
Fig 1 · Distribution of 2024 cloud-breach root causes. Source: Verizon DBIR 2024, Mandiant M-Trends 2024.

Key takeaways

  • The 2024 cloud incident catalogue is overwhelmingly credential-theft, not CVE-exploitation. MFA enforcement is still the single highest-leverage control.
  • Vendor-incident token rotation must be complete - the Cloudflare case is the standing reference for why.
  • OAuth applications with directory-wide permissions are the Midnight Blizzard lateral-movement vehicle - audit them quarterly.
  • CVE-2024-7593 (Ivanti vTM) is still in KEV and still unpatched in environments we scan - perimeter appliances need a separate inventory.

Closing

For a structured Q1 identity review against your Snowflake, Entra, Okta, and Google Workspace tenants, our cloud penetration testing service includes that scoping. Get in touch.

References & further reading

  1. MandiantUNC5537 targets Snowflake customer instances for data theft and extortion
  2. Microsoft MSRCMidnight Blizzard nation-state attack on Microsoft corporate systems
  3. CloudflareThanksgiving 2023 security incident retrospective
  4. OktaOctober 2023 customer support system breach
  5. CISAKnown Exploited Vulnerabilities catalog
  6. NVDCVE-2024-7593 - Ivanti Virtual Traffic Manager authentication bypass
  7. NISTSP 800-207: Zero Trust Architecture
  8. Verizon2024 Data Breach Investigations Report - credential theft trends
Continue reading

Related articles.

Monthly report

May 2026 monthly report: ransomware and the MOVEit three-year retrospective

May 26, 2026 · 11 minMonthly report

April 2026 monthly report: open-source critical infrastructure - regreSSHion at year two

Apr 28, 2026 · 9 minMonthly report

March 2026 monthly report: supply chain hardening, one year after tj-actions

Mar 30, 2026 · 10 min
Need a hand?

Need help securing your business?

If anything in this report applies to your stack, we can scope a focused assessment within two business days.