The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding cyber threat activity aimed at applications hosted in Commvault’s Microsoft Azure environment. According to CISA, threat actors may have compromised client secrets associated with Commvault’s Metallic Microsoft 365 backup software-as-a-service (SaaS) solution, granting them unauthorized access to customer environments.
This advisory emerged after Commvault was alerted by Microsoft in February 2025 about unauthorized activities attributable to a nation-state threat actor within its Azure infrastructure. CISA noted that this incident might be linked to a wider campaign targeting various SaaS providers’ cloud infrastructures through methods that exploit default configurations and elevated permissions.
A particularly concerning aspect of the current situation is that the threat actor is believed to have utilized advanced techniques to access customer M365 environments. Commvault has been proactive, taking remedial measures such as rotating app credentials for M365, although the company emphasizes that there has been no unauthorized access to customer backup data.
As part of its advisory, CISA urged users and administrators to implement robust security practices, including monitoring of audit logs, reviewing Microsoft logs for unauthorized modifications, restricting access to management interfaces, and deploying Web Application Firewalls. Furthermore, the agency is working alongside partner organizations to continue its investigation into the malicious activities affecting SaaS platforms.