TL;DR

The 2024–2025 Snowflake customer exposure campaign compromised over 165 organisations — including Ticketmaster (560 million records) and AT&T (109 million accounts) — using nothing more sophisticated than stolen credentials on accounts without multi-factor authentication. Australian SMBs face the same blast radius today: credential-based intrusions drive 80% of cloud breaches, yet only 5% of SMBs have tested their recovery plans. Three controls implemented this week — Conditional Access, Privileged Identity Management, and centralised log retention — can close the same entry points attackers used against billion-dollar enterprises.

The Breach: What Happened

Between April 2024 and mid-2025, a financially motivated threat actor tracked as UNC5537 systematically compromised Snowflake customer tenants, exfiltrating hundreds of millions of records from organisations including Ticketmaster, Santander Bank, AT&T, Advance Auto Parts, and at least 165 others [1].

This was not a sophisticated zero-day exploit. It was not a Snowflake platform vulnerability. The attackers purchased credentials from infostealer malware logs — some dating back to 2020 — and simply logged in.

How They Got In

The kill chain was devastatingly simple:

  1. Initial access: Credentials harvested by infostealer malware (RedLine, Vidar, Raccoon) from contractor and employee machines were sold on dark-web marketplaces. Some credentials were years old but still valid.
  2. No MFA: Affected Snowflake instances had no multi-factor authentication configured. Single-factor username-and-password was sufficient for full access. In several cases, the accounts were service accounts never intended for interactive login — but nothing prevented it [2].
  3. Lateral movement: Once inside, attackers used Snowflake's native RESULT_SCAN and COPY INTO commands — legitimate database operations — to locate and stage terabytes of data for exfiltration.
  4. No detection: The average dwell time exceeded 60 days. Logs existed but were not being monitored.

What It Cost

Mandiant's investigation estimated over 500 compromised credentials across the victim pool. Ticketmaster alone lost 560 million customer records including partial payment card data [1]. The financial toll from regulatory fines, notification costs, class-action litigation, and share-price impact ran into the billions across the victim set.

The pattern mirrors what Sophos reports in 2026: ransomware groups grew 35% year-on-year, with 5,400 documented attacks in 2025. Check Point's VP of Exposure Management notes that the exploitation window for a known vulnerability has shortened from 30 days to hours [3]. For an SMB, the insolvency maths are stark: median Australian SMB cash reserves of $12,100 against average cyber insurance claims of $264,000 — a 22-to-1 gap [2].

Three Preventions Your SMB Can Implement This Week

Every entry point in the Snowflake campaign maps to a control Australian SMBs can activate in their Microsoft 365, Google Workspace, or AWS tenant today.

1. Conditional Access Policies

The attackers walked through an unlocked door. Conditional Access enforces context-aware authentication gates: if the sign-in originates from an unusual location, an unmanaged device, or a risky IP, access is blocked or challenged regardless of correct credentials.

  • Implementation: In Azure AD/Entra ID, create a policy requiring MFA for all users accessing administrative portals, cloud apps, or sensitive data workloads. Block legacy authentication protocols (POP3, IMAP, SMTP auth) entirely — they cannot enforce MFA.
  • Time required: Under 2 hours. Microsoft provides a "Report-only" mode to simulate impact before enforcement.
  • What it stops: Credential stuffing, stolen password reuse, and the exact attack pattern used against Snowflake customers.

2. Privileged Identity Management (PIM)

Service accounts and over-privileged users were the linchpin of UNC5537's success. PIM eliminates standing administrative privileges — access is granted just-in-time, for a limited duration, with approval workflows and full auditing.

  • Implementation: In Entra ID, onboard Global Administrators, SharePoint Administrators, and Exchange Administrators into PIM. Set maximum activation time to 4 hours. Require MFA at activation time and, for critical roles, require approval from a second administrator [4].
  • Time required: One business day.
  • What it stops: Lateral movement by an attacker who compromises a single over-privileged account. Even if credentials are stolen, the attacker cannot self-elevate to admin without an approval chain.

3. Centralised Log Retention with Monitoring

The average dwell time in the Snowflake campaign was months — not because logs didn't exist, but because nobody was looking. The ACSC Essential Eight recommends centralised, protected log collection with a minimum 7-day retention for event logs and 12 months for critical system logs [5].

  • Implementation: For Microsoft 365 tenants, enable Unified Audit Log and ship logs to a Log Analytics workspace or a Sentinel instance. For AWS, enable CloudTrail across all regions with a 90-day minimum retention in S3. For Google Workspace, enable Workspace Audit Logs and retain for a minimum of 6 months.
  • Time required: Under 3 hours to configure. Ongoing monitoring can start with Microsoft Sentinel's free-tier or a lightweight open-source SIEM like Wazuh.
  • What it stops: Undetected exfiltration. Even a basic alert rule — "suspicious COPY INTO to external stage" or "bulk data transfer exceeding 5 GB in 1 hour" — would have caught UNC5537 in the first 72 hours.

FAQ

Q: My business uses Google Workspace, not Microsoft 365. Do these controls still apply?

A: Yes. Google Workspace offers Context-Aware Access (equivalent to Conditional Access), Privileged Administrator accounts with just-in-time elevation, and Workspace Audit Logs with configurable retention. The principles are identical — only the product names change.

Q: We're a 12-person shop. Is PIM overkill?

A: It is the opposite. Small organisations have the most to gain from PIM because a single compromised admin account — often the business owner's — grants total control. PIM protects that single point of failure without adding ongoing maintenance overhead.

Q: What's the single highest-impact thing we can do this afternoon?

A: Enable MFA on every account with administrative or financial privileges. Then disable legacy authentication protocols. Together, these two steps would have prevented the entire Snowflake campaign. Time required: 90 minutes.

Q: Do we need a full SIEM to make log retention useful?

A: No. Start by connecting your tenant to the vendor's native security dashboard — Microsoft Secure Score, Google Security Health, or AWS Security Hub. These free tools surface the highest-risk misconfigurations without needing a dedicated SOC.

Conclusion

The Snowflake campaign was not a sophisticated nation-state operation. It was a financially motivated group exploiting one of the oldest and most preventable misconfigurations in cybersecurity: accounts without multi-factor authentication. The same conditions exist in Australian SMB tenants today.

Check Point reports that one million machines are infected with infostealer malware daily, and those harvested credentials are sold within hours [3]. The Sophos Threat Research Unit confirms that the consolidation of "supergroups" like LockBit has been replaced by a fluid ecosystem of smaller, faster-moving gangs — over 94 tracked groups across 124 countries [3]. Your credentials are likely already circulating.

This is not a problem that requires a SOC or a six-figure security budget. Conditional Access, Privileged Identity Management, and centralised log retention are included in the licences many SMBs already own.

Protect your cloud tenant this week. Visit consult.lil.business for a free cybersecurity posture assessment — we will review your Conditional Access policies, identity hygiene, and log retention in one session.

References

  1. Mandiant: UNC5537 Snowflake Campaign Analysis
  2. NIST SP 800-207: Zero Trust Architecture
  3. Sophos: Ransomware in 2026 — Newer Groups, Severe Impact (SMBtech)
  4. Microsoft: Privileged Identity Management Documentation
  5. ACSC: Essential Eight Maturity Model

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation