The Commvault Metallic Breach: What Happened, Remediation & Prevention

On May 22, 2025, CISA issued an urgent advisory that sent shockwaves through the enterprise security community. Commvault's Metallic cloud backup service, trusted by countless organizations to protect their Microsoft 365 environments, had been compromised by threat actors. Using a 0-day, the adversary broke into the Commvault cloud environment and compromised customer accounts.

‍

What’s unique about this attack is that it targets a self-hosted SaaS app with deep ties to an organization’s identity provider (IdP), Microsoft Entra. When the IdP is compromised, it allows for complete organizational identity security breakdown: any service tied to the IdP can be breached by the attackers. This incident serves as a stark reminder of the critical importance of securing SaaS applications and the cascading risks when SaaS providers become targets.

‍

What Happened in the Commvault Metallic Attack

‍

Threat actors successfully gained unauthorized access to Commvault's Metallic Microsoft 365 backup software-as-a-service solution, which is hosted in Azure. Using Commvault as a gateway, the attackers were able to access Commvault’s customers' Microsoft 365 environments and steal secrets. This means that organizations using Metallic for M365 backup were potentially exposed through no fault of their own security configurations. Although specific details regarding the vulnerability are limited, CISA’s report mentions that the threat actor must be authenticated to exploit the service.

‍

According to CISA, this incident appears to be part of a larger campaign targeting SaaS companies that maintain default security settings and overprivileged access controls. This suggests a coordinated effort to exploit the interconnected nature of modern SaaS ecosystems.

‍

The Far-Reaching Impact

‍

The Commvault incident highlights several critical vulnerabilities in how organizations approach SaaS security:

‍

• Third-Party Risk Amplification: Organizations that thought they were protected by backing up to Commvault's cloud found themselves exposed when their backup provider was compromised. This demonstrates how SaaS security extends far beyond the applications you directly manage.

• Privilege Escalation Through Trust: The attackers didn't need to compromise individual customer environments directly. Instead, they leveraged Commvault's elevated permissions to access multiple customer tenants—a technique that scales their impact exponentially.

• Supply Chain Security: This attack underscores how SaaS providers become critical components in your security supply chain. When they're compromised, the blast radius can be enormous.

‍

Best Practices for Remediation and Recovery

‍

Based on CISA's advisory and industry best practices, organizations should take immediate action:

‍

Immediate Response Actions

‍

Monitor and Audit: Review Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conduct internal threat hunting in alignment with documented organizational incident response policies. Look specifically for unusual access patterns or unauthorized modifications to service principals.

‍

Patch the Vulnerability:  Immediately install the resolved maintenance release for the affected version on the CommServe, Web Servers, and Command Center.

‍

Credential Rotation: Immediately roate application secrets and credentials on Commvault Metallic applications and service principals. Even if you weren't directly affected, this incident demonstrates the importance of regular credential rotation.

‍

Access Control Review: Review the list of Application Registrations and Service Principals in Entra with administrative consent for higher privileges than the business need. Apply the principle of least privilege ruthlessly.

‍

Long-Term Security Improvements

‍

Implement Conditional Access: Implement a conditional access policy that limits authentication of an application service principal to an approved IP address. This adds an additional layer of protection even if credentials are compromised.

‍

Follow CISA ScuBA Guidelines: Implement the comprehensive M365 security recommendations outlined in CISA's Secure Cloud Business Applications (ScuBA) Project. ScuBA provides specific, actionable guidance for securing cloud business applications like Microsoft 365, including detailed conditional access policies and configuration baselines that would have helped prevent this type of attack.

‍

Establish Regular Rotation Policies: Establish a policy to regularly rotate credentials at least every 30 days. Automated credential rotation should be a standard practice, not an exception.

‍

Adopt Zero Trust Principles: Handle deviations from regular login schedules as suspicious. Implement continuous monitoring and verification rather than assuming trust based on initial authentication.

‍

How Reco Protects Against These Threats

‍

The Commvault incident perfectly illustrates why organizations need comprehensive SaaS security posture management. Reco addresses the exact vulnerabilities that made this attack possible:

‍

Continuous SaaS Discovery and Monitoring: Reco automatically discovers all SaaS applications in your environment, including those connected through third-party services like backup providers. This visibility ensures you understand your complete attack surface.

‍

CISA ScuBA Implementation: Reco has integrated CISA's Secure Cloud Business Applications (ScuBA) framework directly into our platform, providing automated assessment and enforcement of ScuBA's security baselines. This includes the specific conditional access policies and M365 security configurations that CISA recommends in response to the Commvault incident.

Advanced Conditional Access Management: Beyond basic conditional access, Reco helps organizations implement and manage sophisticated conditional access policies at scale. Our platform continuously monitors for deviations from approved access patterns and can automatically enforce location-based, device-based, and risk-based access controls across your entire SaaS ecosystem.

‍

Privileged Access Oversight: Reco identifies applications with excessive permissions and helps enforce least-privilege access principles across your SaaS ecosystem. You'll know exactly which applications have access to sensitive data and can take action before attackers exploit these relationships.

‍

Anomalous Activity Detection: Reco's AI-powered behavioral analysis would have flagged the unusual access patterns that occurred during the Commvault breach, enabling organizations to take swift action. Even in such a case when threat actors successfully authenticate, Reco will alert on deviations from normal behavior, such as logins from unusual IP addresses, locations, or devices.

‍

Third-Party Risk Assessment: Reco evaluates the security posture of your SaaS providers and identifies potential supply chain risks. You'll have visibility into how your vendors handle security and can make informed decisions about acceptable risk levels.

‍

The Bottom Line

‍

The Commvault Metallic breach comes just weeks after the Pat Opet open letter to third-party suppliers called attention to this very problem: attackers are exploiting the interconnected nature of SaaS, “eroding decades of carefully architected security boundaries."

‍

Organizations can no longer afford to treat SaaS security as an afterthought or assume that their SaaS providers have security covered.

‍

Every SaaS application in your environment represents a potential entry point for attackers, and every third-party integration creates additional risk vectors. The question isn't whether you'll face a SaaS security incident, but whether you'll be prepared when it happens.

‍

With Dynamic SaaS Security from Reco, you can gain the visibility, control, and response capabilities needed to protect your organization in an increasingly complex threat landscape. 

‍

Ready to secure your SaaS environment? Sign up for a demo to learn how we can help you protect your organization from SaaS threats.