Customer story

SaaS / business intelligence platformGlobalAnonymized

Supply-chain ransomware campaign leveraging a compromised SaaS administrator — multi-tenant threat stopped early

A ransomware group weaponized trusted admin pathways inside a business intelligence SaaS. Unit6 saw the compromise, coordinated fast revocation, and blocked cross-customer propagation.

MITRE T1078MITRE T1098MITRE T1046MITRE T1482
Book a demoExplore the platform

The situation

A widely used business intelligence SaaS platform kept privileged administrative access into customer environments for integrations and managed services. Unit6 identified that a Sophisticated Threat Actor had compromised a privileged admin account via a likely watering-hole infection.

What Unit6 detected

  • Theft of a privileged SaaS administrator account with indications of watering-hole origin.
  • Lateral movement within the SaaS provider’s own infrastructure.
  • Abuse of trusted administrative pathways to pivot into multiple customer systems.
  • Pre-ransomware behaviors aligned to Sophisticated Threat Actor tradecraft: credential harvesting, environment enumeration, quiet privilege escalation, and staging for cross-tenant deployment.

Why it mattered

  • Multi-tenant propagation from a single compromised foothold.
  • Simultaneous ransomware deployment across many customers under cover of legitimate admin activity.
  • Detection evasion because activity resembled trusted management operations.
  • High likelihood of delayed or bypassed traditional monitoring across downstream environments.

What Unit6 did

Revoked privileged access immediately

  • Disabled compromised and at-risk admin accounts.
  • Reset and re-enrolled MFA for all privileged users.

Audited platform-wide administrative actions

  • Identified suspicious configuration changes and unknown outbound connections.
  • Flagged potential persistence mechanisms or altered permissions across tenants.

Coordinated cross-tenant defenses

  • Warned all customers maintaining trust relationships with the platform.
  • Recommended short-term segmentation to break lateral paths and monitored management-plane activity.

Activated ransomware-response readiness

  • Pushed containment rules into EDR and validated segregated backups.
  • Deployed behavioral detections for early-stage ransomware tactics across affected tenants.

Outcome

  • A Sophisticated Threat Actor’s lateral movement into customer environments was interrupted mid-campaign.
  • The SaaS provider regained control over its administrative infrastructure.
  • Customers avoided a multi-tenant ransomware event that could have caused widespread outages.
  • A supply-chain breach poised for headlines was contained before payload deployment.

Unit6 edge

  • Ability to spot watering-hole-derived admin compromise long before ransomware impact.
  • Multi-organization coordination driven by Unit6 threat intelligence across provider and customers.
  • Threat-actor profiling that enabled early recognition of Sophisticated Threat Actor tactics and likely downstream actions.

Browse other stories

See more anonymized wins

Back to all stories
Specialty chemicals / industrial manufacturingNorth America & Europe

Stopping a nation-state from reaching industrial OT via a SaaS monitoring platform

An East Asia-aligned actor used stolen credentials to access an OT monitoring SaaS. Unit6 cut the access path and rebuilt controls before the adversary could reach production lines.

Healthcare / hospital systemNorth America

Preventing ransomware by catching an MFA bypass against a healthcare claims portal

A ransomware-linked actor marketed access to a children’s hospital claims portal, including the MFA secret. Unit6 shut down the identity and drove phishing-resistant controls before patient data was touched.

Outsourcing / workforce management / BPOEMEA

Exposing a multi-actor campaign against HR, payroll, and internal portals

Multiple actor clusters targeted an outsourcing firm’s kiosk, HR, and payroll surfaces simultaneously. Unit6 treated it as one campaign, closing credential abuse and hardening exposed services quickly.

IT services / systems integratorMiddle East

Catching a helpdesk brute-force compromise before it became a company-wide breach

A regional IT services provider exposed its ServiceDesk login without rate limits. Unit6 spotted the shift from brute-force to successful use, shut it down, and rebuilt access controls.

Satellite communicationsGlobal

Catching a nation-state’s brute-force campaign against a global satellite operator

A Chinese-directed cluster brute-forced internal support portals for a satellite operator and took over accounts. Unit6 surfaced the compromise and rebuilt authentication before operations were touched.

Fintech / payments processingGlobal

Detecting AI-powered brute forcing against a fintech customer portal

AI-augmented actors brute-forced and sprayed a payments portal, taking over customer accounts. Unit6 cut off access, drove mandatory MFA, and hardened defenses against adaptive attacks.

Aerospace & aviation communicationsGlobal

Early warning on initial access broker claims against aviation messaging systems

Unit6 spotted a broker selling access to an aviation messaging platform before abuse began. Accounts and endpoints were hardened and a rapid-response plan put in place.

High-precision manufacturing / medtech & opticsEurope & Global

Disrupting state-sponsored recon and credential exposure against a high-precision manufacturer

State-linked actors targeted engineers and admin portals at a medtech/optics manufacturer. Unit6 neutralized exposed credentials and hardened privileged access before exploitation.

Enterprise software / communicationsGlobal

Dual nation-state intrusion into a critical file transfer system — detected before impact

Two unrelated nation-state actors exploited the same secure file transfer stack simultaneously. Unit6 surfaced both compromises and stopped large-scale exfiltration before internal teams saw anomalies.

Pharmaceuticals / healthcareGlobal

Supply-chain intrusion into a global pharmaceutical enterprise — pre-ransomware phase blocked

A Sophisticated Threat Actor attempted to pivot from a compromised SaaS provider into a pharmaceutical company via trusted admin links. Unit6 severed trust and stopped the intrusion in the staging phase.