Nation-state threat actors targeting Commvault applications hosted in Microsoft Azure may be part of a broader campaign targeting Software-as-a-Service (SaaS) applications, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned in an advisory this week.
The May 22 CISA advisory builds on a Commvault warning earlier this month that nation-state threat actors were exploiting CVE-2025-3928 to target Commvault applications hosted in their Microsoft Azure cloud environment in an attempt to access customer Microsoft 365 (M365) environments.
CISA’s new advisory says the agency believes the Commvault M365 threat “may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions.”
CISA offered no specifics on other SaaS apps that may be targeted, but CISA and Commvault both offered guidance for protecting Commvault and M365 environments, some of which could be applicable to other SaaS apps.
Commvault M365 Threat Campaign Detailed
According to CISA, threat actors may have accessed client secrets for Commvault’s Metallic Microsoft 365 backup SaaS solution hosted in Azure. “This provided the threat actors with unauthorized access to Commvault’s customers’ M365 environments that have application secrets stored by Commvault,” the advisory said.
Commvault’s May 4 update on the incident said the nation-state threat actor “may have accessed a subset of app credentials that certain Commvault customers use to authenticate their M365 environments.” Commvault responded with several remedial actions, including rotating credentials and issuing customer recommendations.
Commvault also provided guidance for M365, Dynamics 365 and EntraID backups configured with additional single-tenant app registrations.
Commvault listed known IP addresses associated with the malicious activity for clients to block. Those IP addresses include:
- 69.148.100
- 92.80.210
- 153.42.129
- 6.189.53
- 223.17.243
- 242.42.20
Guidance for Protecting Commvault and M365
CISA recommended that organizations apply patches and updates and follow detailed mitigation guidance and best practices, which include:
- Monitor Entra audit logs for unauthorized modifications or new credentials to service principals initiated by Commvault applications and service principals, and handle deviations from regular login schedules as suspicious
- Review Microsoft Entra audit, Entra sign-in, and unified audit logs and conduct internal threat hunting
- For single tenant apps, implement a conditional access policy that limits authentication of an application service principal to an approved IP address listed within Commvault’s allowlisted range of IP addresses (conditional access policies require a Microsoft Entra Workload ID Premium License)
- Customers who can should establish a policy to regularly rotate credentials at least every 30 days
- Review the list of Application Registrations and Service Principals in Entra with administrative consent for higher privileges than needed
- Implement M365 security recommendations outlined in CISA’s Secure Cloud Business Applications (SCuBA) project
- Where possible, limit access to Commvault management interfaces to trusted networks and administrative systems
- Detect and block path-traversal attempts and suspicious file uploads by deploying a Web Application Firewall and removing external access to Commvault applications
- Monitor activity from unexpected directories, especially web-accessible paths.
