SaaS Attack Techniques: How Threat Actors Compromise SaaS Applications

In January 2024, Microsoft disclosed that Russian threat actors had accessed senior executive email accounts. The attackers didn't phish credentials or exploit a zero-day. They found an old test OAuth application with excessive permissions, used password spray to access a legacy account, then leveraged OAuth tokens to move laterally into production mailboxes. No malware. No network intrusion. Just tokens and trust.

This incident represents a fundamental shift in how attackers compromise organizations. While security teams focused on hardening network perimeters and deploying endpoint protection, threat actors quietly adapted. They discovered that SaaS Attack Techniques no longer require traditional malware or network infiltration. Instead, attackers exploit the very mechanisms that make cloud collaboration possible: OAuth tokens, API keys, and trusted integrations between applications.

The statistics paint a stark picture. SaaS breaches surged 300% in 2024, with the average time to compromise core systems dropping to just 9 minutes once initial access is established. More concerning, 28% of organizations experienced cloud or SaaS-related data breaches in the past year, with 36% of affected organizations facing multiple breaches within a single year.

Key Takeaways

Token-based attacks bypass passwords entirely, allowing threat actors to compromise accounts and move laterally without triggering password prompts or MFA challenges

The average enterprise uses 342 SaaS applications, each creating OAuth tokens, API keys, and webhooks that represent potential entry points attackers actively exploit

Traditional security tools fail in SaaS environments because CASB sees traffic but not token usage, SIEM lacks behavioral context, and EDR is irrelevant when attackers never touch endpoints

SaaS supply chain attacks cascade rapidly across connected applications, as demonstrated by the Salesloft-Drift breach that impacted 700+ organizations through compromised OAuth integrations

Behavioral detection identifies anomalies traditional tools miss by mapping relationships between users, apps, and data to detect when OAuth tokens access resources they've never touched before

Why SaaS Environments Are the New Target

Most organizations believe their biggest security risk lives inside the applications they manage directly. In reality, the real exposure often sits one integration away. The shift to cloud architectures during the COVID-19 pandemic created an environment where data flows freely between SaaS tools, and users can create integrations with a single OAuth click. This convenience came with hidden costs that attackers have learned to exploit systematically.

Data Concentration Creates High-Value Targets

Modern SaaS applications have become centralized repositories for an organization's most sensitive information. Salesforce contains customer data, pipeline information, and revenue forecasts worth millions. Google Workspace holds company communications, strategic documents, and confidential discussions. Snowflake stores analytical datasets that represent years of business intelligence. One compromised application provides massive data access without the need to breach multiple systems.

This concentration makes SaaS environments fundamentally different from traditional IT infrastructure. When attackers compromised on-premises systems, they needed to move laterally across network segments, escalate privileges through multiple systems, and exfiltrate data while evading network monitoring. In SaaS environments, a single OAuth token with the right permissions can provide immediate access to terabytes of sensitive data through legitimate API calls.

The Integration Explosion

According to Productiv research, the average enterprise now uses 342 SaaS applications. Each integration between these applications creates OAuth tokens, API keys, service accounts, and webhooks. Each of these non-human identities represents a potential entry point that attackers actively map and exploit.

The problem compounds because 46% of organizations struggle to monitor non-human identities like service accounts and APIs, while 56% express concern about over-privileged API access. These blind spots in integrations create the perfect conditions for attackers to operate undetected. When security teams can't see what's talking to their Salesforce instance or which OAuth tokens have admin permissions, they can't detect when those connections are abused.

According to Obsidian's network data, integrations increased 123% year-over-year as organizations adopted AI agents, marketing automation platforms, and workflow tools. Each new integration extends trust beyond traditional security controls, creating what attackers call "the hidden layer" between SaaS apps where traditional security tools don't provide visibility.

Traditional Security Controls Don't Apply

The fundamental challenge with SaaS Attack Techniques: How Threat Actors Compromise Cloud Applications is that legacy security architectures were designed for a different threat model. There's no network perimeter to defend when applications live in vendor-managed clouds. There are no endpoints to install agents on when users access SaaS through browsers. There are no servers to patch when the application provider handles infrastructure.

Identity becomes the only control layer, and attackers have learned to bypass it. OAuth tokens function independently of SSO and MFA. Once issued, these bearer tokens work like keys-whoever has the token can use it, regardless of whether they completed multi-factor authentication or whether the user's password has been changed.

This creates a scenario where an organization can have perfect password hygiene, mandatory MFA, and comprehensive endpoint protection, yet still suffer a catastrophic breach through a single compromised OAuth token. As Patrick Opet, CIO of JPMorgan Chase, warned in his open letter to suppliers, modern SaaS integration models are eroding decades of carefully architected security controls, collapsing authentication and authorization into overly simplistic trust relationships that attackers actively exploit.

For a comprehensive overview of how these threats manifest across the SaaS landscape, see our SaaS Security Threat Report 2025.

The SaaS Attack Lifecycle: From Initial Access to Data Exfiltration

Understanding SaaS Attack Techniques: How Threat Actors Compromise Cloud Applications requires examining the complete attack lifecycle. Unlike traditional network intrusions that follow the MITRE ATT&CK framework for on-premises environments, SaaS attacks leverage cloud-native mechanisms that bypass conventional security controls at every stage.

1. Initial Access: Getting Into the First Application

Attackers use multiple techniques to establish their initial foothold in SaaS environments, often combining methods to increase success rates.

Credential-Based Attacks

While phishing remains effective-56% of organizations have been affected by phishing to date, with 49% experiencing attacks in the past year-it's no longer required for successful compromise. Attackers craft realistic messages to steal SaaS credentials and sensitive personal information, but they've also developed more sophisticated approaches:

• Credential stuffing using databases leaked from third-party breaches
• Password spraying against cloud services that lack proper account lockout policies
• Brute force attacks targeting accounts without MFA enforcement

The Snowflake campaign of 2024 demonstrated the effectiveness of credential stuffing at scale. Attackers used stolen credentials to compromise 165+ customer environments, exploiting the fact that many accounts lacked MFA protection. No sophisticated exploit was needed-just valid credentials and the absence of basic controls.

OAuth Token Exploitation

Token-based attacks represent the evolution of SaaS compromise techniques. These attacks bypass passwords entirely, allowing threat actors to compromise accounts, move laterally, and extract sensitive data without triggering password prompts.

Consent phishing tricks users into authorizing malicious OAuth applications that appear legitimate. An attacker creates an app called "Salesforce Mobile Connector" or "Microsoft Teams Enhancement" and requests broad permissions. When users click "Allow," they grant the attacker's application persistent access to their data-access that survives password resets and MFA changes.

Token theft involves stealing existing OAuth tokens from compromised applications, browser storage, or insecure code repositories. Most SaaS apps implement OAuth tokens as bearer tokens-something like a key. Whoever has this key can use it, regardless of how they obtained it.

Third-party compromise enables attackers to inherit access from breached vendors. The Salesloft-Drift incident exemplified this technique, where attackers compromised OAuth tokens tied to a third-party integration, providing access to 700+ organizations' Salesforce environments. From there, they systematically exported sensitive data from customer contacts to credentials like AWS keys and Snowflake tokens.

Session Hijacking

Session token theft represents one of the most dangerous attack vectors because it provides immediate, authenticated access. Techniques include:

• Cookie theft through malware that extracts session tokens from browsers
• Adversary-in-the-middle (AiTM) token interception during authentication flows
• Session token extraction from compromised browser extensions or developer tools

For a detailed analysis of how these attacks work, see our deep dive into SaaS session hijacking.

2. Persistence: Ensuring Continued Access

Once attackers establish initial access, they immediately work to ensure persistent access that survives credential rotation and security responses.

Malicious OAuth Applications

Attackers register OAuth applications with persistent access to victim environments. These applications request refresh tokens that provide indefinite access without requiring user interaction. The application survives password resets, MFA changes, and even account lockouts because it operates through delegated authorization rather than direct credential use.

Refresh tokens are especially risky because, like service accounts, they operate outside traditional login flows. They can remain valid for months or years, providing attackers with a persistent backdoor that's difficult to detect and revoke.

Email Rules and Forwarding

Attackers create email rules that:

• Forward copies of all incoming mail to external addresses
• Auto-delete security notifications and password reset emails
• Redirect specific messages to attacker-controlled accounts

These rules operate silently in the background, allowing attackers to monitor the victim's communications and intercept security alerts that might reveal the compromise.

Backdoor Accounts and Service Accounts

Creating new service accounts, adding attacker-controlled admin users, and generating API keys for programmatic access provides multiple persistence mechanisms. 85% of accounts are over-privileged, enabling lateral movement and increasing the attack surface. Attackers exploit this by creating accounts with excessive permissions that blend in with legitimate service accounts.

3. Privilege Escalation: Getting More Access

With persistent access established, attackers work to expand their privileges within the compromised environment.

Role Manipulation

Attackers elevate compromised accounts to admin status, add attacker accounts to privileged groups, and modify permission policies. In SaaS environments, this often requires just a few API calls to the identity provider or application admin console.

OAuth Scope Escalation

Attackers request additional permissions through consent flows, exploit incremental authorization mechanisms, and abuse pre-authorized application configurations. Users who previously authorized an application are more likely to approve additional permission requests without scrutiny, especially if the requests appear during normal workflow.

4. Lateral Movement: Spreading Across Applications

SaaS-to-SaaS lateral movement represents the most dangerous aspect of cloud application compromise. Attackers use OAuth tokens to access connected applications, pivoting from a marketing tool to CRM to email systems. They ride trusted connections between applications-connections that security teams often don't monitor or even know exist.

The Midnight Blizzard attack against Microsoft demonstrated this technique. Attackers compromised a test OAuth application, used password spray against legacy accounts, then leveraged OAuth connections to move laterally into production mailboxes containing senior executive communications.

Identity Provider Exploitation

Compromising the identity provider (Okta, Azure AD, Google Workspace) provides access to all federated applications. A single compromised admin account in the IDP can create persistent access across the entire SaaS estate, as attackers demonstrated in the Twilio/Oktapus campaign of 2022.

Credential Reuse and Shared Secrets

Service accounts with the same credentials across apps, API keys stored in multiple locations, and shared secrets enable lateral movement without requiring additional compromise. Attackers systematically search for these reused credentials in code repositories, configuration files, and documentation.

For more information on how attackers exploit these connections, see our analysis of SaaS supply chain security.

5. Data Exfiltration: Achieving Objectives

The final stage involves extracting valuable data while avoiding detection.

API-Based Extraction

Attackers use bulk data export through legitimate APIs, paginating through entire databases in what appears to be normal application usage. This technique is particularly effective because it generates minimal alerts-the activity uses valid credentials, authorized applications, and legitimate API endpoints.

Integration Abuse

Using legitimate integrations to sync data externally or export through connected third-party tools means data flows through authorized channels. Security teams struggle to distinguish malicious exfiltration from normal business operations.

Email-Based Exfiltration

Forwarding sensitive documents as attachments, sending data to personal accounts, and using legitimate mail flow provides a simple but effective exfiltration method that blends in with normal email activity.

Real-World SaaS Attack Examples

Understanding SaaS Attack Techniques: How Threat Actors Compromise Cloud Applications requires examining how these attacks manifest in real incidents. The following cases demonstrate the evolution of SaaS-focused attacks and the cascading impact of compromised integrations.

Midnight Blizzard (Microsoft, 2024)

Russian threat actors accessed senior Microsoft executive email accounts through a sophisticated OAuth-based attack. The attackers discovered an old test OAuth application with excessive permissions-a forgotten integration that security teams hadn't inventoried or monitored. They used password spray attacks against legacy accounts that lacked modern security controls, then leveraged the OAuth tokens from the test application to move laterally into production mailboxes.

The attack succeeded because it exploited the gap between development and production security controls. The test application had permissions it should never have received, the legacy accounts lacked MFA enforcement, and the OAuth tokens provided persistent access that bypassed traditional authentication monitoring.

Salesloft-Drift Supply Chain Attack (2025)

Between August 8-18, 2025, the Google Threat Intelligence Group identified widespread data theft targeting Salesforce customer instances through compromised OAuth tokens in the Salesloft-Drift integration. The attack demonstrated how SaaS supply chain attacks cascade rapidly across connected applications.

Attackers compromised OAuth tokens tied to the Salesloft-Drift integration, which provided them with access to multiple customers' Salesforce environments. They systematically exported sensitive data including customer contacts, opportunity information, and stored credentials like AWS keys and Snowflake tokens. The attack scope expanded beyond Salesforce to impact other integrations, requiring Google to revoke OAuth tokens for the Drift Email integration after confirming access to Google Workspace accounts on August 28, 2025.

More than 700 organizations were impacted, demonstrating the blast radius of supply chain compromise in SaaS environments. For a detailed analysis, see our report on the Salesloft-Drift breach.

Snowflake Credential Stuffing Campaign (2024)

Attackers used credential stuffing with stolen credentials to compromise Snowflake customer environments at scale. The campaign succeeded because many accounts lacked MFA protection-a basic control that would have prevented the attack entirely. Over 165 customers had data exposed as attackers systematically accessed data warehouses and exfiltrated analytical datasets.

The incident highlighted how token theft and OAuth abuse remain effective even after password changes, particularly in integration-heavy environments where compromise cascades rapidly across connected applications.

Twilio/Oktapus Identity Provider Attack (2022)

Attackers used SMS phishing against Twilio employees to compromise identity provider access. Once inside Twilio's systems, they leveraged that access for lateral movement to customer environments, demonstrating how supply chain attacks through trusted providers can impact hundreds of downstream organizations.

The attack succeeded because it targeted the identity provider-the foundation of trust for all connected applications. With IDP access, attackers could create new accounts, modify permissions, and access customer data across the entire federated ecosystem.

Commvault Metallic Cloud Backup Compromise (2025)

In May 2025, CISA reported that threat actors accessed client secrets for Commvault's Microsoft 365 backup SaaS solution hosted in Azure. This provided unauthorized access to customers' M365 environments through what should have been a security control-the backup solution itself became the attack vector.

The incident demonstrated how even security and backup tools can become entry points when their OAuth tokens and API keys are compromised.

For comprehensive coverage of recent SaaS attacks, see our techniques of SaaS compromise resource.

Why Traditional Security Tools Fail to Detect SaaS Attacks

The fundamental challenge with detecting SaaS Attack Techniques: How Threat Actors Compromise Cloud Applications is that legacy security tools were designed for different environments and threat models. Each traditional security category has specific blind spots that attackers exploit.

CASB Limitations: Seeing Traffic, Missing Tokens

Cloud Access Security Brokers (CASBs) monitor traffic between users and cloud applications, providing visibility into which applications are being accessed and what data is flowing through them. However, CASBs have critical limitations in detecting modern SaaS attacks:

CASBs see traffic but not token usage. When an attacker uses a stolen OAuth token to access an API directly, the CASB may see the API request but lacks context about whether the token should have that access. The request appears legitimate because it uses valid credentials and authorized applications.

CASBs can't detect OAuth app behavior changes. When a previously benign third-party application suddenly starts accessing sensitive data it never touched before, CASBs lack the behavioral baseline to recognize this as anomalous. They see the application is authorized and the data access is within the granted permissions, missing the fact that the behavior pattern has fundamentally changed.

CASBs miss SaaS-to-SaaS movement. When attackers use OAuth tokens to move laterally from one application to another through integration connections, CASBs often don't have visibility into these application-to-application flows. The lateral movement happens through backend API calls that bypass user-facing access controls.

SIEM Gaps: Logs Without Context

Security Information and Event Management (SIEM) systems collect logs from various sources and attempt to correlate events to detect security incidents. In SaaS environments, SIEMs face significant challenges:

SaaS logs are incomplete or delayed. Many SaaS applications don't provide comprehensive audit logs, and those that do often have delays in log availability. By the time suspicious activity appears in the SIEM, attackers have already exfiltrated data and moved to other systems.

SIEMs lack baseline for normal application behavior. Traditional SIEM rules look for known bad patterns-failed login attempts, privilege escalations, unusual network connections. But in SaaS environments, attackers use legitimate credentials, authorized applications, and normal API patterns. Without behavioral baselines specific to each application and integration, SIEMs generate massive alert volumes without identifying genuine threats.

Alert fatigue from volume without context. The average enterprise generates millions of security events daily. SIEMs struggle to distinguish between a legitimate service account making API calls and an attacker using a stolen token to do the same thing. Security teams drown in alerts while real threats slip through undetected.

EDR Irrelevance: No Endpoints to Monitor

Endpoint Detection and Response (EDR) tools excel at detecting malware, suspicious process execution, and lateral movement across endpoints. However, in SaaS attacks, EDR becomes largely irrelevant:

There are no endpoints to monitor when attackers access SaaS applications directly through APIs. The attacker never touches user devices, never executes code on corporate laptops, and never generates the telemetry that EDR tools are designed to detect.

All activity happens through cloud APIs. When attackers use stolen OAuth tokens to access Salesforce data or exfiltrate Google Workspace documents, the entire attack chain occurs in the cloud. EDR agents running on user endpoints see nothing because the endpoints aren't involved in the attack.

Session hijacking bypasses endpoint controls. Even when attackers initially compromise an endpoint to steal session tokens, the subsequent attack activity happens entirely in the cloud using those stolen tokens. EDR may detect the initial compromise but can't see the SaaS account takeover and data exfiltration that follows.

For a detailed comparison of security tool categories and their limitations, see our guide to SaaS supply chain solutions.

Behavioral Detection for SaaS Attacks: The Obsidian Approach

Traditional security tools fail to detect modern SaaS attacks because they rely on static rules, known bad patterns, and traffic inspection. SaaS Attack Techniques: How Threat Actors Compromise Cloud Applications require a fundamentally different detection approach-one based on understanding normal behavior and identifying deviations that signal compromise.

What Behavior-Based Detection Catches

Behavioral detection identifies anomalies that signature-based and rule-based tools miss:

OAuth apps accessing data they've never accessed before. When a marketing automation tool that typically accesses contact lists suddenly starts downloading financial documents, behavioral detection flags this as anomalous. The application has valid permissions, uses legitimate credentials, and operates through authorized APIs-but the behavior pattern has fundamentally changed.

Tokens used from geographic locations never seen. When an OAuth token that always originates from US-based IP addresses suddenly appears in requests from Eastern Europe, behavioral detection identifies the ASN deviation and geographic anomaly. The token is valid, but the usage pattern indicates potential compromise.

API request patterns diverging from baseline. When a service account that typically makes 50 API calls per day suddenly executes 5,000 requests, behavioral detection recognizes the volume spike as suspicious. When those requests target data export endpoints rather than the normal read operations, the anomaly becomes even more significant.

Lateral movement between connected applications. When an attacker uses a compromised integration to pivot from a marketing tool to CRM to email systems, behavioral detection maps these SaaS-to-SaaS movements and identifies the cascading access pattern as suspicious-even though each individual access uses valid credentials and authorized connections.

The Knowledge Graph Advantage

Obsidian's Knowledge Graph provides the foundation for behavioral detection by mapping relationships between users, applications, OAuth tokens, service accounts, and data. This graph-based approach enables detection that traditional tools can't achieve:

Understanding what normal looks like for each entity. The Knowledge Graph establishes behavioral baselines specific to each user, application, and token. It knows which applications typically access which data, which users normally use which integrations, and which service accounts operate on which schedules.

Detecting anomalies in context of relationships. When suspicious activity occurs, the Knowledge Graph provides relationship context. Is this OAuth token accessing data owned by users it's never interacted with before? Is this service account suddenly connecting to applications outside its normal scope? These relationship-based anomalies reveal attacks that appear legitimate in isolation.

Correlating signals across multiple applications. Attackers rarely compromise just one application-they move laterally across the SaaS estate. The Knowledge Graph correlates signals across multiple applications to identify attack patterns. A failed login attempt in one app, followed by unusual OAuth activity in another, followed by data export from a third-individually innocuous, collectively suspicious.

Detection Speed Matters: Midnight Blizzard Case Study

The Midnight Blizzard attack against Microsoft demonstrates why detection speed is critical. Attackers maintained access to executive email accounts for months before discovery. During that time, they read sensitive communications, monitored ongoing negotiations, and gathered intelligence that informed subsequent attack campaigns.

With traditional detection: The compromise was detected months after initial access, after extensive data exposure had already occurred. Traditional tools saw legitimate OAuth tokens accessing authorized mailboxes through valid API calls-nothing appeared suspicious.

With behavioral detection: Anomalous token usage would have been visible within hours. The OAuth token accessing mailboxes it had never touched before, the geographic deviations in access patterns, and the unusual data access volumes would have triggered behavioral alerts immediately.

The difference between months and hours of detection time represents the difference between executive emails compromised and breach contained before significant data exposure.

For more information on how Obsidian detects these attacks, see our platform overview and our analysis of OAuth security for core SaaS applications.

Conclusion: Understanding How Attackers Move Through Your SaaS Environment

SaaS Attack Techniques: How Threat Actors Compromise Cloud Applications have evolved far beyond simple credential theft. Modern attackers exploit OAuth tokens, abuse trusted integrations, and ride SaaS-to-SaaS connections to move laterally across cloud environments. They bypass MFA through token theft, persist through refresh tokens that survive password resets, and exfiltrate data through legitimate APIs that blend in with normal business operations.

Traditional security tools fail to detect these attacks because they were designed for different environments. CASBs see traffic but miss token abuse. SIEMs collect logs without behavioral context. EDR monitors endpoints that attackers never touch. The gap between what traditional tools detect and what attackers actually do creates blind spots where modern SaaS attacks operate undetected.

The incidents examined in this analysis-Midnight Blizzard, Salesloft-Drift, Snowflake, Twilio/Oktapus, and Commvault Metallic-demonstrate that these attacks are not theoretical. They're happening now, impacting hundreds of organizations, and causing millions in damages. The average time to compromise core systems has dropped to 9 minutes, while traditional detection methods take weeks or months to identify the breach.

Actionable Next Steps

Security teams facing these challenges should:

1. Inventory OAuth tokens and integrations to understand what's talking to critical applications like Salesforce, Google Workspace, and Microsoft 365
2. Identify over-privileged access where tokens and service accounts have permissions far beyond what they actually use
3. Establish behavioral baselines for normal application and integration activity
4. Implement detection for token abuse including geographic anomalies, unusual data access patterns, and SaaS-to-SaaS lateral movement
5. Monitor non-human identities including service accounts, API keys, and OAuth tokens that operate outside traditional authentication flows

Understand How Attackers Would Move Through Your Environment

Attackers are already studying your SaaS environment, mapping the OAuth connections between ap