Do Son 
A cyberattack targeting the cloud infrastructure of Commvault has resulted in unauthorized access to customer data, specifically affecting users of the Microsoft 365 backup service offered through Metallic. This was disclosed by the Cybersecurity and Infrastructure Security Agency (CISA), which reported malicious activity within Microsoft Azure’s cloud environment.
According to the agency, the attackers may have gained access to sensitive information—including client secrets used to connect to Microsoft 365 backups. These credentials were stored within Commvault’s Azure environment and may have enabled the intruders to infiltrate the internal M365 environments of several client organizations.
The breach affected Metallic, Commvault’s cloud-native software-as-a-service (SaaS) platform for data backup. CISA noted that the incident may be part of a broader campaign targeting cloud software providers with misconfigured environments and overly permissive default access rights.
The initial alert regarding suspicious activity was issued by Microsoft in February 2025. Commvault’s subsequent investigation revealed that a state-sponsored hacking group had exploited a previously unknown vulnerability in the company’s web server (CVE-2025-3928). This flaw allowed an authenticated remote user to execute web shells on the affected server.
Commvault’s response team explained that the attackers employed sophisticated techniques to obtain confidential authorization keys used by clients to interface with M365. Although the company emphasized that customer backups were not compromised, some credentials may have been exposed.
In response to the breach, Commvault rotated all M365 credentials and enhanced monitoring of its cloud services. The company continues to collaborate with government agencies and industry partners to further investigate the incident.
Security experts have recommended the following mitigation measures:
- Monitor Entra audit logs for unauthorized changes or additions to Commvault-related credentials;
- Analyze Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conduct proactive threat hunting internally;
- For single-user applications, implement conditional access policies that restrict Commvault service component authentication to trusted IP ranges;
- Audit the list of Entra app registrations and service principals with elevated permissions;
- Restrict access to Commvault management interfaces to trusted network zones only;
- Configure a Web Application Firewall to block path traversal attempts, suspicious file uploads, and remove external access to Commvault applications.
This incident underscores the critical importance of fortifying cloud infrastructure and maintaining a swift, adaptive response to evolving threats. As research consistently shows, modern cyberattacks are growing in sophistication, employing novel vectors to compromise cloud-based services.
Donate