Home / Use cases / Identity Attacks

Identity Attacks

SaaS apps are becoming more common, offering enterprises scalable and cost-effective solutions to specific problems. However, this popularity has also made them a target for cyber attackers. One of the main threats is credential theft or identity attacks, where attackers use various techniques to steal user credentials or access.

SquareX provides enterprises with the option to create policies that block login access to different SaaS apps based on granular properties like permissions or authentication methods used (like SAML, Password or OAuth based SSO), helping them stay one step ahead of these threat actors. For SaaS apps who only support password based logins, SquareX also allows creation of policies to avoid re-use across SaaS apps and ensure good password strength ensuring overall security posture.

In addition to this, SquareX also provides policies to protect users from accessing possible phishing pages which look similar to your organisations' login pages.

Block SaaS Apps with Risky Permissions

Many SaaS apps do not follow best practices—for instance, requesting overly broad permissions like full Google Drive access instead of specific file creation permissions. SquareX enables creating policies that enforce best practices, ensuring apps adhere to security standards by granting permissions only as necessary. This approach maintains employee productivity while enhancing security. Policies can be made defining OAuth scopes to either allow or block apps based on their requested permissions. Threat actors also exploit by creating malicious SaaS apps that mimic legitimate ones. Stricter policies that permit or deny apps based on their client ID, can also be made to allow / disallow specific apps to counter this. These policies also handle multi-step permission requests often made by SaaS apps.

Protect employees against tenant impersonation

SquareX helps protect employees from tenant impersonation by allowing policies that block logins unless they occur through a designated SSO method like OAuth or SAML, and that too specifically for the organization's tenant. This approach ensures that authentication attempts outside of approved SSO channels are effectively prevented, preventing unauthorized access attempts.

Policies Against Evasion Tactics by AiTM Phishing Pages

To effectively combat evasion tactics used by AiTM (Adversary in the Middle) phishing pages, robust policies are essential. Attackers often obfuscate code and text within their source code or block proxies from reading their actual content to evade detection. They also use Browser in the Middle (BiTM) based platforms or obscure the phishing platform signatures to make it even before difficult to detect. SquareX empowers organizations to create policies that utilize advanced techniques like rules-based on-screen OCR (Optical Character Recognition). These policies allow blocking pages based on matching the actual visible content on the page to match with the organization's SSO login page, effectively countering AitM detection evasion.

Preventing Password Reuse Across SaaS Apps

SquareX helps protect against password re-use across various SaaS applications, even when these apps lack Single Sign-On (SSO) support. It can be used to create policies that help maintain unique password requirements for each application, enhancing overall security posture. It also allows organizations to create policies to use newer passwords with stronger strength based on a strength score.

Protect Employees from Device ID Phishing

SquareX allows organizations to create policies that prevent device code phishing attempts, a method where attackers exploit device authentication processes used by devices such as smart TVs or CLI tools. Attackers often use carefully crafted phishing emails to distribute such links along with device code. SquareX's policies can block unauthorized access attempts by enforcing strict controls by blocking device code based login links. This helps mitigate the risk of attackers gaining access tokens.

Block file uploads to drive.google.com when not logged into company google workspace account

SquareX allows creation of identity-aware policies to manage file uploads directly within the browser. This capability allows SquareX to enforce rules based on the user's identity context within SaaS platforms. For example, it can restrict upload of files to Google Drive by allowing it to continue only if users logged into their company's Google workspace account.

Block advanced Browser-in-the-browser attacks

There are classes of attacks that are orchestrated entirely within the browser that both cloud proxies and endpoint security have no visibility into. One such attack is the Browser-in-the-browser (BitB) phishing attack, where a browser view is embedded within a page, appearing as a window popup. Users get tricked into entering their data into these seemingly unassuming pages. Enterprises can leverage SquareX to block employees from facing BitB attacks. For instance, if an enterprise is using Okta for authentication, then a simple site content policy to check for Okta login content against the domain can be done effectively, using SquareX. A demonstration of this is shown against the recent and ongoing ‘Steamcommunity’ phishing attack that is propagated through Discord. Simply using a screenshot of the actual phishing page, you can see the power of SquareX’s detection technology.

Enforce strong passwords

Are all employees in your organization using strong passwords for daily web application logins? Can you accurately collect those datapoints, or enforce rules for them to do so? If you are using a web proxy or an endpoint security solution, there’s a high chance that you won’t be able to enforce such a policy. Many sites encrypt the password before it is sent through the network, rendering the password data opaque to the security solutions. Strong passwords help defend against brute force attacks and password spraying. With SquareX, admins can create a policy to enforce the use of strong passwords across the whole world wide web, amongst employees. To do so, use the AI policy generator with the prompt 'Only allow passwords with strength score more than 3'. The expected outcome would be:

Block phishing attacks originating from Legitimate Services

Attackers are leveraging popular services such as Sharepoint and Office Forms to spread phishing links. These are difficult to detect as the source is a legitimate website and usually the threat intel databases take a while to blacklist new phishing sites leaving a room for attacks on the organisation. With SquareX, administrators can take a preemptive measure, and create policies to block all websites with login forms that originate from Sharepoint (excluding trusted login pages)

Defending Against Multi-Hop Phishing Attacks Using SharePoint Links

Employees often receive phishing links from attackers posing as legitimate firms. These links lead to SharePoint pages prompting document access, ultimately asking for credentials. SquareX allows the creation of policies that block such sophisticated phishing attempts by analysing the visit or navigation path.