Netskope Global Technical Success (GTS)

UEBA: Compromised Credential Incident Analysis

Netskope Cloud Version - 125

Objective

UEBA - Compromised Credential Incident Analysis

Prerequisite

Netskope UEBA/UBA license is required

Context

A detailed explanation of how Netskope's Compromised Credentials feature works.

Netskope Official Document - Link

Analysis

Path: Netskope Tenant UI >>> Incidents >>> Compromised Credentials

Ref. Image

1. User - peter.johnson@abc.com

This is the official email ID of the end-user for whom the Compromised Credential alert was triggered.

2. Matched User - pjohnson@gmail.com

This is the personal Email ID of the end-user for whom the Compromised Credential alert was triggered.

3. Access Method - Client

The end-user was steering traffic to Netskope via Client (Netskope Client) when the compromised credential alert was triggered.

4. Source of Info - XSS: grayscale.com Breach (523483 Records)

Based on information from XSS: grayscale.com Breach (523483 Records), the account details linked to the email address pjohnson@gmail.com were compromised and exposed on the dark web on April 30, 2025. Netskope does not possess details regarding the specific level of account information leaked, such as passwords, user personal details, etc.

5. Application: Microsoft 365 Copilot

The application the user accessed that triggered the compromised credential detection.

6. Activity: Browse

The activity the user performed that triggered the compromised credential detection.

7. Incident ID: 459275175

compromised credential ID (Transaction ID)

8. Activity Time: 

When the user performed the activity that triggered the compromised credential detection.

9. Date Compromised - 4/30/2025

The date when XSS: grayscale.com Breach (523483 Records) released the leaked database was 4/30/2025.

10. Timestamp - 5/7/2025 7:04 AM

The user utilized the email address pjohnson@gmail.com in a transaction on 5/7/2025 7:04 AM

• Netskope's Compromised Credential (CC) engine collects information from various sources regarding leaked email data and stores it in a database.
• This engine monitors every transaction, and if there's a match between a user's email ID used to log in to a web application and the database of leaked email data, Netskope generates a CC alert.
• In the scenario provided, the user logged in with their Gmail ID, triggering a CC alert because of a match detected by Netskope's engines.
• While matching with a Gmail ID is acceptable, there have been instances where employees registered for non-business applications using their official email IDs.
• If you see a hit for domain @abc.com in the matched user section, please contact the end-user and advise them to update their account passwords.

Recommendations

It's important to educate end-users about the risks associated with using official email addresses for non-sanctioned or non-business applications. Netskope recommends implementing the following security measures:

• Avoid Using Official Email Addresses: Encourage users not to create accounts on non-sanctioned or non-business applications using their official email addresses. Using personal email addresses for such purposes helps mitigate security risks.
• Enable Multi-Factor Authentication (MFA): Ensure that all business applications are enabled with multi-factor authentication (MFA). MFA adds an extra layer of security by requiring users to provide additional authentication factors, such as a code sent to their mobile device, in addition to their password.
• Implement Password Update Policy: Enforce a password update policy to ensure that users regularly update their account passwords. This helps prevent unauthorized access in case of compromised credentials.

By following these recommendations, organizations can enhance their security posture and reduce the risk of unauthorized access to business applications.

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, If any such platform changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.