Modern identity attacks increasingly rely on shared infrastructure like phishing-as-a-service (PhaaS) platforms, making anomalous sign-in detection alone insufficient — especially for large organizations drowning in alert fatigue. Arctic Wolf MDR introduces a 'herd immunity' approach that enriches individual anomalous sign-in alerts with cross-tenant intelligence: comparing sign-in characteristics against a dataset of confirmed compromises, and flagging when the same IP uses the same authentication method across multiple unrelated customer tenants. This transforms ambiguous single-environment anomalies into high-confidence indicators of malicious activity. A real-world example from April 2026 shows a single IP authenticating via device code flow against nearly 150 identities across 110+ tenants in one week, linked to the Kali365 PhaaS platform.
Table of contents
The Limits of Single‑Tenant CorrelationA Data Advantage at ScaleHerd Immunity: Confidence Through Correlation at ScaleHerd Immunity in ActionSort: