“It’s great to have one sign-on for everything,” Salinas said, “but it’s one sign-on for everything.”

Emails have huge attack surfaces, he said, and Blackpoint Cyber is catching about 100 attacks a week.

“Following that is what’s the next huge attack surface that’s hard to protect? Your single sign-on,” he said. And that’s what advanced threat groups have been using lately, according to Salinas.

“They use it to get into casinos, gaming companies … they’re phoning in to support pretending to be an employee and getting access to the single sign-on and then using that as a pivot point to get to the servers and the machines and everything.”

Identity response for Azure AD provides MSPs with further visibility into vulnerabilities, increased knowledge of potential data exposure and added context for audit procedures and damage assessments.

Michael Pfaff, director of operations at Richmond, Va.-based MSP NDSE, said Blackpoint Cyber excels at providing a critical cybersecurity offering.

“With ongoing updates like the cloud response for Google Workspace and the recent identity response for Azure, visibility into potential threats and overall protection has been amplified, providing our customers with added peace of mind,” he told CRN. “Blackpoint is undeniably a top-tier option for those dedicated to securing their infrastructure.”

Salinas said threat actors typically want to grab logs, “and I have trouble in figuring out what the algorithm is or what’s the magic sauce.”

“There’s so much ambiguity out there. When is it going to actually detect single sign-on suspicion or not? I don’t even think Microsoft knows what actually happens or what goes into that type of detection. You cannot rely strictly on the provider, they’re not security companies. They’re secure but they’re not that secure. The magic sauce just isn’t good enough,” he said.

“It would terrify me if someone got my single sign-on login, so it should terrify everybody else,” he added.