Identifying Self-Service Password Reset (SSPR) Abuse

Seemingly mundane processes like password resets have become critical security vectors. Self-Service Password Reset (SSPR) solutions do improve user experience but can introduce new security considerations that every CISO should understand.

‍

Understanding SSPR: More Than Convenience

‍

Remember the days of contacting IT for every password reset? Those days are gone—largely driven by the rise in sophisticated phishing attacks. Yes, phishing! The increase in impersonation attacks has necessitated more secure methods for users to manage their own credentials.

‍

SSPR enables administrators to define validation methods required before users can reset their passwords. This is largely driven by Microsoft Entra or Azure AD. These typically include:

• Mobile app notifications
• Mobile app one-time passwords (OTP)
• Personal email verification (if configured)
• Mobile phone verification
• Office phone verification
• Security questions

Once properly configured, users can securely reset passwords (such as Summer2025! —no, don’t use that, that’s just an example for a very very bad password) without burdening IT staff or creating security vulnerabilities.

‍

Security Implications You Can't Ignore

‍

While SSPR improves efficiency, it creates distinct patterns that threat actors can exploit—and that security teams should monitor. Consider these warning signs:

• Password changes occurring in high volume
• Resets originating from unusual geographic locations or IP addresses
• Resets during non-business hours or weekends
• Multiple password changes for a single user within 24 hours

These patterns often indicate credential compromise attempts that traditional security solutions might miss.

‍

How Reco Detects SSPR Abuse

‍

Reco leverages security analytics to identify suspicious SSPR activities across identity providers including Microsoft Entra (Azure AD), Okta, and Salesforce.

‍

What happens when a user changes their password more than once in a day? Reco alerts on this odd activity.

‍

‍

Reco is able to alert on these scenarios. For example, Reco has a query of the usual suspects (Microsoft Entra). 

‍

‍

Reco provides advanced analytics that:

• Correlate user activities across multiple sources
• Process terabytes of historical data in under 30 seconds for threat hunting
• Aggregate information about originating IPs, user agents, account privileges, and group memberships
• Identify complex attack patterns through high-performance queries

Identifying SSPR Events

‍

SSPR instances vary across platforms but share common security concerns.

‍

Microsoft Entra (Azure AD): Captures both self-service and administrator-initiated password resets, including those propagated from on-premises environments.

Okta: Provides distinct event patterns that require specialized monitoring rules.

‍

Salesforce: Implements its own SSPR mechanisms with unique characteristics.

‍

Reco helps prevent account takeover by discovering SSPR attacks in your ecosystem through our Investigations Center.

‍

We then alert the user, supplementing what a XSOAR Is traditionally able to do. 

‍

Strengthening Your Security Posture

‍

Effective SSPR monitoring is a crucial component of account takeover prevention. By integrating specialized analytics with existing orchestration platforms like XSOAR, organizations can build deeper protection against credential-based attacks. As threat actors continue to target identity systems, understanding and monitoring SSPR activities is essential for securing your SaaS ecosystem.