It’s common knowledge that technology adoption outpaces security controls. But SaaS applications may be the biggest example of this, and cybercriminals have caught on.
We spoke to Cory Michal, CSO at AppOmni, about how we’ve made things easier for attackers, decreased our visibility and limited the effectiveness of our controls by the wholesale adoption of SaaS products over the past few years, and how the scale can be tipped in the opposite direction.
BN: How have SaaS applications changed the attack surface?
CM: SaaS applications have fundamentally reshaped the organizational attack surface by shifting critical business processes and identity management outside the traditional security perimeter. Attack surfaces have changed over the past few years from a ‘castle and moat’ model where a perimeter could be enforced to a model where many users are remote. This has decreased the visibility of existing security tooling and created new opportunities for attackers. With most organizations shifting 70-90 percent of their operations as well as their Identity Provider (IdP) to SaaS, the attack surface has expanded dramatically, creating new entry points for threat actors. Unlike on-premises environments where security teams could enforce strict network controls, SaaS applications are accessed over the internet, often by remote users, making identity the primary security boundary.
BN: Has SaaS adoption made things easier for cybercriminals?
CM: Yes, SaaS adoption has made things easier for cybercriminals by expanding the attack surface and shifting security boundaries from controlled, on-premises environments to the cloud, where identity is often the primary defense. Organizations have moved critical business processes to SaaS applications in search of agility, scalability and efficiency. In many cases, appropriate security controls have not followed. Attackers understand this change in attack surface and are increasingly taking advantage of the opportunity by targeting and breaching organizational SaaS tenants. They have exploited this shift using techniques such as phishing, credential stuffing/spraying, session hijacking, and token theft to gain unauthorized access to Identity Providers and SaaS environments. The widespread use of SaaS also introduces risks from misconfigurations and overly permissive access, which attackers can exploit for lateral movement and data theft.
BN: What are the most common types of SaaS attacks you’re seeing in real life?
CM: In real-world scenarios, we’re seeing several common types of SaaS attacks that leverage identity-based exploitation, misconfigurations, and cloud-native persistence techniques. The most prevalent attacks include:
- MFA Fatigue & Phishing Attacks — Adversaries use social engineering and adversary-in-the-middle (AitM) phishing to steal credentials and bypass multi-factor authentication (MFA). MFA fatigue attacks bombard users with repeated authentication requests until they approve one out of frustration or mistake.
- Session Hijacking & Token Theft — Attackers steal session tokens via phishing and infostealer malware, allowing them to bypass authentication mechanisms and persist within SaaS environments.
- Privilege Escalation & Lateral Movement — Exploiting misconfigured SaaS permissions, attackers escalate privileges to gain broader access across multiple SaaS applications. They leverage OAuth abuse, excessive API permissions, and interconnected SaaS integrations to move laterally across systems.
- Data Exfiltration & Business Email Compromise (BEC) — Attackers access SaaS email, file-sharing, or CRM applications to exfiltrate sensitive data, manipulate financial transactions, or launch further phishing campaigns from within a trusted environment.
BN: Why can’t traditional security measures adequately address the unique vulnerabilities inherent in SaaS applications?
CM: Traditional security measures struggle to protect SaaS applications because they were designed for perimeter-based environments, not the cloud-centric, identity-driven nature of SaaS. Unlike on-premises systems, where security teams control the network, endpoints, and infrastructure, SaaS applications are externally hosted, rely on cloud identity providers, and are accessed from anywhere.
SaaS applications come with unique configuration, management, and continuous monitoring challenges that organizations must solve in order to properly safeguard data from being breached directly, and to avoid SaaS apps becoming footholds from which attackers can pivot into the corporate environment. Organizations have started to shift their security capabilities beyond the on-premises tools such as VPN concentrators and network IDS, and into Zero Trust Network Access (ZTNA), Security Service Edge (SSE), and other capabilities more appropriate for distributed workforces and cloud-based technology.
However, the focus to date has largely been around securing individual areas such as transport and access to applications via SSE, security of devices with Endpoint Detection and Response (EDR), etc. What’s lacking is an end-to-end security architecture that doesn’t leave a huge security gap and that applies the core security principles all the way from devices to secure transport, and fully includes the security of the destinations such as SaaS applications. It’s not enough to stop at ZTNA and SSE without filling the gap with approaches like Zero Trust Posture Management (ZTPM) that address the security of the applications.
BN: How can the scale be tipped in the opposite direction?
CM: To tip the scale against attackers, the first action is to recognize that SaaS applications present unique security risks. AppOmni research has found that the majority of organizations do not monitor their SaaS platforms, and do not know they have a security problem. Next, organizations must adopt a comprehensive SaaS security strategy aligned with the Identify, Protect, Detect, and Respond framework. Identify involves gaining visibility into all SaaS applications, users, and permissions to uncover misconfigurations and excessive access. Protect requires enforcing strong identity security with phishing-resistant MFA, least-privilege access, and secure SaaS configurations to minimize the attack surface vulnerability. Detect focuses on continuous monitoring of SaaS logs, behavioral analytics, and anomaly detection to identify threats like session hijacking, unauthorized OAuth grants, and privilege escalation. Finally, Respond ensures rapid investigation and automated remediation of SaaS security incidents, leveraging response playbooks and integration with security operations (SOC) workflows. By shifting security controls closer to where SaaS attacks occur — at the identity and application layers — organizations can strengthen their defense posture and make it significantly harder for adversaries to succeed.
Image credit: Tongsupatman/Dreamstime.com
