SaaS: The Next Big Attack Vector

SaaS attacks stem from risks you don’t see coming—unauthorized apps or even approved ones used in ways that do not conform to an organization's security policies and procedures. Employees adopt these tools to work smarter and faster, but without proper oversight, this practice introduces risks. SaaS has become its own attack vector, exploiting gaps in visibility, compliance, and access controls; unless companies rethink their SaaS security explicitly, they risk catastrophic breaches that undermine data security, compliance, and operational resilience.

What is an Attack Vector?

Think of an attack vector as the doorway hackers use to break into systems, networks, or applications; it’s the pathway they exploit to carry out their malicious plans. From phishing emails to compromised endpoints, every attack vector poses unique risks and calls for specific defenses. Firewalls protect against network-based attacks, email security solutions defend against phishing attempts, and endpoint detection and response (EDR) tools safeguard endpoints targeted by attackers. Each layer of security works like a sentry, guarding its assigned entry point, identifying, mitigating, and monitoring each attack vector to minimize the risk of breaches.

Why SaaS is the Perfect Attack Vector

SaaS isn’t just a problem of unsanctioned productivity tools slipping under IT’s radar—it’s a vulnerability with minimal defenses. There are two main challenges: improperly secured sanctioned SaaS and shadow SaaS, which bypasses IT governance altogether. While sanctioned apps may appear safe, they are often improperly configured, leaving gaps in access controls or user permissions that attackers can exploit. However, unsanctioned apps adopted by employees without IT oversight—amplify the risks exponentially by placing the responsibility for security in the hands of individual users who are not security experts. Hackers can exploit these gaps to steal sensitive data, move laterally through systems, and conduct reconnaissance—all while staying undetected by traditional defenses.

Without centralized oversight, SaaS security becomes an afterthought rather than an explicit security strategy.

SaaS security's decentralized and user-driven nature creates a fragmented set of controls distributed among multiple siloed defenses. Traditional defenses are not equipped to oversee users' security practices on unsanctioned apps or the gaps in the controls for sanctioned apps. Tools like CASBs, IAM solutions, and EDR systems are built to protect specific targets—endpoints, networks, or sanctioned apps—but they fall short for unsanctioned SaaS. Without centralized oversight, SaaS security becomes an afterthought rather than an explicit security strategy, exposing organizations to risks their current defenses aren’t equipped to handle.

The Flaws in SaaS Security

SaaS security today is a patchwork of disconnected tools—CASBs, IAM solutions, and EDR systems—each addressing specific security needs but leaving critical gaps because they are not unified and work together as a common defense layer. Unsanctioned apps operate outside traditional security perimeters, bypassing network, endpoint, and centralized governance controls. While users may access them via managed devices on secure networks, the apps, data, and associated risks remain out of reach for IT and security teams. Sanctioned apps may fall under the official oversight of IT, but misconfigurations or lack of access controls are undetectable outside of the app itself.  

Take CASBs, for instance. CASBs effectively monitor network activity but need application integration—which shadow SaaS lacks—to enforce controls beyond blocking network access, which is not a realistic policy because it would hinder employee productivity. CASBs protect employees’ access to SaaS but not the entry point for bad actors, which is from the Internet often using compromised credentials. They also can’t detect or mitigate risky activity, such as compromised identities moving laterally across multiple applications. In addition, getting actionable insights is difficult because the amount of data that needs to be analyzed is so voluminous.  

CASBs protect employee access to SaaS but fail to secure entry points such as bad actors exploiting compromised credentials via the Internet.

IAM solutions like SSO and MFA are another critical layer, but their effectiveness depends on proper integration—which shadow SaaS always lacks. Without onboarding shadow apps into IAM programs, these tools can’t enforce policies or identify unauthorized access. And with SaaS usage growing exponentially, relying on IAM to discover and assess shadow SaaS risks isn’t practical, as that’s not what they were designed to do. They were designed to centralize and control access once the need to do so has been established, and this is the gap that companies find so difficult to overcome.  

Similarly, EDR systems focus on protecting devices, not the cloud-based activities happening within SaaS apps. While they’re effective for endpoint security, they don’t address threats where identities, activities, and data exist entirely on the Internet.

The fragmented approach to SaaS security creates blind spots that open the door to attackers. Shadow SaaS and poorly secured sanctioned apps lack robust security configurations and often operate with default settings, making them easy targets. Malicious actors can exploit these vulnerabilities to steal sensitive data, leverage APIs to infiltrate interconnected systems, and move laterally to expand the attack—all while evading detection from conventional security tools. This fragmentation leaves organizations exposed to risks they’re not equipped to handle.

SaaS Attack Vector: Dormant Accounts, Weak Credentials, Lateral Movement

The Midnight Blizzard attack on Microsoft highlights how even a seemingly simple attack can infiltrate sensitive internal systems and data. In this attack, the bad actors targeted weak account security, leveraged unauthorized integrations, and successfully evaded detection. The methodology mirrors tactics outlined in the MITRE ATT&CK SaaS Matrix, illustrating the vulnerabilities of dormant accounts in unmanaged SaaS environments.

Initial Access: Attackers used a password spray attack to compromise a dormant account on a known account that lacked MFA. Due to the inconvenience, many SaaS users fail to enable MFA on SaaS. They are not alone, however, and IT often fails to enable MFA on sanctioned apps as well. SaaS accounts not protected by strong access controls are vulnerable to similar attacks.  


Privilege Escalation and Lateral Movement: After gaining access, the attackers escalated privileges, allowing access to sensitive accounts and data. A breached account can often be used to elevate permissions or pivot to other accounts or systems through integrations, APIs, or poorly configured role-based access controls. 


Persistent Access: Malicious applications were integrated and deployed to maintain persistent access and facilitate data exfiltration. Integrations are widely used in SaaS apps to allow integrations and third-party app access. Without continuous monitoring, these tokens, especially OAuth grants can be exploited to bypass traditional authentication and maintain access even after passwords are changed. 


Evasion: The attackers used residential proxy networks to obfuscate their activity and blend in with legitimate traffic. SaaS platforms rely heavily on web-based access, making them susceptible to similar obfuscation techniques. Attackers can use proxy networks to hide the origin of their activity, complicating detection by security tools.

Closing the Gaps in SaaS Security

Today’s approach to SaaS security is fundamentally fragmented and siloed, creating a false sense of protection that leaves organizations vulnerable to SaaS attacks. CASBs, IAM tools, and EDR systems focus on narrow, distinct attack vectors, but not the SaaS attack vector. Additionally, this siloed approach assumes that each tool operates flawlessly and without failure, a dangerous assumption that contradicts cybersecurity’s foundational principle of layered defenses.

A layered defense strategy operates on the premise that no single tool is foolproof, relying on overlapping controls to mitigate risks. Yet, the current SaaS security landscape fails to cover critical blind spots. CASBs depend on integrations with sanctioned applications and often overlook shadow SaaS. IAM tools require robust configurations like SSO and MFA—both often absent in shadow SaaS. EDR systems focus on endpoints but offer no insight into SaaS-based activity or data. These blind spots provide fertile ground for shadow SaaS to thrive, exposing organizations to unauthorized access, data breaches, and compliance violations.

The statistics are staggering and highlight the scale of the problem. An analysis by Grip Security of over 29 million SaaS user accounts and 1.7 million identities revealed that 90% of SaaS applications and 91% of AI tools operate without proper management or oversight, leaving them vulnerable to exploitation. Furthermore, projections suggest that by 2027, 75% of employees will adopt technology solutions beyond the direct control of their organization’s IT departments, accelerating shadow SaaS growth. With 85% of SaaS applications unknown and unmanaged and SaaS portfolios expanding by 40% annually, IT and security teams are overwhelmed, widening the security gaps and increasing opportunities for exploitation.

To secure the SaaS attack vector, organizations must move beyond fragmented solutions and adopt a cohesive, layered defense strategy tailored for SaaS security. This approach requires end-to-end visibility across all SaaS applications—sanctioned and unsanctioned—and consistent enforcement of security policies. Breaking down silos and aligning SaaS security with layered defense principles will empower organizations to close critical gaps, reduce risk, and safeguard their data in a cloud-first world. The era of piecemeal solutions is over; the time for comprehensive SaaS security is now.

‍

Discover how Grip helps close the gaps in SaaS security by uncovering unsanctioned apps, mitigating risks from compromised credentials, and providing centralized SaaS control. Take the first step toward securing your SaaS attack vector - book time with our team now.

‍