When attackers compromise a single SaaS application, the breach rarely stops there. Through trusted integrations and OAuth connections, they quietly pivot from app to app, moving laterally across your SaaS ecosystem without ever touching your network. Traditional detection tools built for on-premises environments see nothing. The attacker rides those trusted connections straight into your most sensitive data, and your security stack remains silent.
Lateral movement has evolved. What once required network access and privilege escalation now happens through legitimate API calls and OAuth tokens. For IR and SecOps teams, this represents a fundamental detection challenge: attackers operate in the hidden layer between your SaaS applications, where traditional tools have zero visibility.
Key Takeaways
● Lateral movement in SaaS environments happens through trusted OAuth tokens, API credentials, and integrations, not network segments
● Traditional detection tools (EDR, NDR, SIEM, CASB) have blind spots for SaaS-to-SaaS lateral movement because attacks use legitimate cloud-to-cloud connections
● Real-world incidents like Salesloft-Drift demonstrate how attackers pivot through integration chains to reach 700+ downstream customer environments
● Detection requires behavioral analytics that correlate identity and activity across multiple SaaS platforms, tracking anomalies in API usage patterns
● Prevention focuses on reducing integration sprawl, enforcing least privilege on OAuth scopes, and implementing rapid token revocation capabilities
What is Lateral Movement in SaaS?
Lateral movement describes the technique where attackers, after gaining initial access to an environment, move through that environment to reach their ultimate objectives. In traditional network security, this meant pivoting between servers, workstations, and network segments to locate sensitive data or escalate privileges.
In SaaS environments, lateral movement takes a fundamentally different form. Attackers move between connected cloud applications using OAuth tokens, API credentials, service accounts, and integrations. The critical distinction: lateral movement no longer requires network access. It happens through trusted SaaS connections that your network security tools never see.
When an attacker compromises one SaaS application or steals one set of credentials, they immediately begin mapping the integration landscape. Which apps connect to this one? What permissions do those integrations have? Can I use this OAuth token to access connected applications? The answers to these questions determine the blast radius of the breach.
The shift from network-based to SaaS-based lateral movement represents a blind spot where attackers operate undetected. Your EDR monitors endpoints. Your firewall watches the perimeter. Your SIEM ingests authentication logs. But when an attacker uses a stolen OAuth refresh token to pivot from a compromised marketing automation platform into your Salesforce instance, none of these tools generate an alert. The movement happens at the API layer, through legitimate cloud-to-cloud connections, appearing as normal SaaS-to-SaaS communication.
How Lateral Movement Works in SaaS Environments
The anatomy of SaaS lateral movement follows a predictable pattern that IR teams must understand to contain breaches effectively.
Initial Access: The attack begins with compromise of a single SaaS application or theft of one credential. This could be a successful phishing campaign, a vendor breach, stolen API keys from a code repository, or compromised service account credentials. The initial foothold often occurs in a lower-security application that security teams overlook.
Discovery: Once inside, attackers enumerate the integration landscape. They identify which applications connect to the compromised app, what OAuth scopes those integrations possess, and which API endpoints are accessible. In many cases, this discovery happens through legitimate API calls that appear as normal administrative activity.
Pivoting: Armed with knowledge of the integration topology, attackers leverage OAuth tokens or API keys to access connected applications. Because these tokens function as bearer tokens (something like a key; whoever has it can use it), no additional authentication challenge occurs. The attacker presents the stolen token and gains access to the downstream application.
Escalation: Attackers specifically target overprivileged integrations with write, delete, or admin permissions across multiple applications. These toxic combinations enable access to sensitive data and administrative functions. A marketing integration with read/write access to your CRM becomes a pathway to customer data. A reporting tool with admin permissions across multiple SaaS platforms becomes a privilege escalation vector.
Persistence: To maintain long-term access, attackers rely on OAuth refresh tokens that survive password resets and continue functioning even after the initial compromise is discovered. These refresh tokens operate outside traditional login flows, bypassing your SSO and MFA controls entirely.
Understanding how AI agents interact with SaaS applications adds another dimension to this threat landscape, as automated agents often possess broad permissions across multiple systems.
Lateral Movement Attack Techniques in SaaS
OAuth Token Abuse
OAuth tokens represent the primary vector for SaaS lateral movement. Most SaaS applications implement OAuth tokens as bearer tokens, meaning possession of the token grants access without additional authentication.
Attackers steal OAuth tokens from compromised vendors, intercepted API traffic, or exposed integration configurations. Once obtained, these tokens provide direct access to downstream customer environments. The attack bypasses MFA entirely because the OAuth token represents an already-authenticated session.
Real Incident: The Salesloft-Drift breach demonstrates the devastating potential of OAuth token abuse for lateral movement. When attackers compromised Drift's infrastructure, they gained access to OAuth tokens that Drift used to integrate with customer Salesloft instances. From Salesloft, the attackers identified additional OAuth connections to customer Salesforce environments. The result: attackers moved from Drift → Salesloft → 700+ Salesforce instances, multiplying the blast radius exponentially. This integration chain attack affected hundreds of organizations through a single initial compromise
The attack succeeded because each OAuth token in the chain possessed legitimate permissions. Security tools monitoring individual applications saw authorized API activity. No anomalous authentication events occurred. The lateral movement happened through trusted connections at API speed.
Service Account Exploitation
Service accounts and other non-human identities present attractive targets for lateral movement because they typically possess elevated privileges across multiple applications and operate outside normal user authentication flows.
Attackers who compromise service account credentials gain cross-application access without triggering user-based detection rules. These accounts often have admin privileges, enabling both lateral movement and privilege escalation in a single step.
Service accounts rarely have the same security controls as user accounts. They lack MFA, use long-lived credentials, and often escape regular access reviews. This makes them persistent lateral movement vectors that survive even aggressive incident response efforts.
API Credential Theft
API keys and tokens stored in code repositories, build pipelines, configuration files, and logs provide another pathway for lateral movement. Unlike OAuth tokens tied to specific integrations, API credentials often grant broad access to multiple services.
Attackers mine code repositories, scan exposed environment variables, and extract credentials from build logs to obtain API keys. These credentials enable access to the issuing application and any services that accept those keys for authentication.
Real Incident: The CircleCI breach exposed how stolen API credentials enable lateral movement to customer environments. When attackers compromised CircleCI's infrastructure, they gained access to customer secrets and API credentials stored in the CI/CD platform. These credentials provided direct access to customer SaaS environments, enabling lateral movement without any additional exploitation .
The incident highlighted a critical SaaS supply chain risk: when you store credentials in a third-party platform, compromise of that platform grants attackers the keys to your entire SaaS ecosystem.
Session Hijacking Chains
Adversary-in-the-Middle (AiTM) phishing attacks capture authenticated sessions, which attackers then use to authorize new OAuth integrations. These newly authorized integrations provide persistent access for future lateral movement.
The attack chain works as follows: phishing captures a valid session token, the attacker uses that session to authorize a malicious OAuth application, the malicious application receives an OAuth token with whatever permissions the user approves, and that OAuth token enables lateral movement to connected applications.
This technique transforms a temporary session hijack into persistent lateral movement capability. Even after the victim changes their password and the original session expires, the OAuth token continues functioning.
Understanding how phishing attacks work in SaaS environments helps IR teams recognize the early warning signs of this attack pattern.
Integration Chain Exploitation
The most sophisticated lateral movement attacks exploit multi-hop integration chains where data flows through multiple connected applications. Compromise of one app in the chain provides access to all downstream applications.
Consider a typical SaaS integration chain: Marketing Automation → CRM → Analytics Platform → Data Warehouse. Each connection uses OAuth tokens or API credentials. Each application trusts the upstream app to send data. When an attacker compromises the marketing automation platform, they inherit access to the entire chain.
These integration chains create invisible attack paths that bypass traditional security controls. The attacker never directly authenticates to the target application. They ride the trusted connections, moving laterally through legitimate data flows.
According to Obsidian's network data, the average enterprise SaaS environment contains dozens of these integration chains, many unknown to security teams. The operational reality: most organizations cannot answer the question "what's talking to my Salesforce?" without significant manual investigation.
Why SaaS Lateral Movement is Different
SaaS lateral movement fundamentally differs from traditional network-based lateral movement in ways that render conventional detection approaches ineffective.
No network perimeter to cross: Attackers don't move between IP addresses or network segments. They move between cloud applications using API calls. Your firewall never sees the traffic. Your network monitoring tools record nothing.
Legitimate credentials and trusted connections: Every step of the lateral movement uses valid OAuth tokens, API credentials, or service account keys. The attacker presents legitimate credentials to legitimate services. From the application's perspective, this is authorized activity.
Normal SaaS-to-SaaS communication: The API calls that enable lateral movement look identical to normal integration traffic. An attacker using a stolen OAuth token to query your Salesforce API generates the same logs as the legitimate integration making that same query. Without behavioral context, distinguishing malicious from benign is impossible.
Traditional network detection tools see nothing: Because SaaS-to-SaaS traffic doesn't traverse your network, tools built to monitor network traffic have zero visibility. The lateral movement happens in the cloud, between cloud services, using cloud-native authentication mechanisms.
Movement at API speed: Automated attacks can query APIs, extract data, and pivot to connected applications 10x faster than human activity. By the time your weekly access review identifies suspicious permissions, the attacker has already moved laterally through your entire SaaS ecosystem.
This combination of factors creates the hidden layer where attackers operate undetected. Your security stack monitors the wrong layer. The actual lateral movement happens above the network, in the relationships between SaaS applications.
Why Traditional Tools Fail to Detect SaaS Lateral Movement
SASE and Network-Based Detection
Secure Access Service Edge (SASE) architectures combine networking and security functions, including SD-WAN, secure web gateways, and zero trust network access. While SASE excels at securing user-to-cloud traffic and enforcing policies at the network edge, these solutions were designed for a different threat model. They monitor traffic flowing through corporate infrastructure and cloud access points, looking for lateral movement patterns like unauthorized access attempts and policy violations.
In SaaS environments, lateral movement doesn’t traverse your network or SASE infrastructure. When an attacker uses an OAuth token to pivot from a compromised marketing platform to your Salesforce instance, the API call goes directly from one cloud service to another. Your SASE solution, positioned to monitor traffic flowing through your network edge, sees nothing. The traffic never touches your infrastructure because it’s backend cloud-to-cloud communication.
This represents zero visibility into cloud-to-cloud lateral movement. Even with a comprehensive SASE deployment, the attack happens in a layer your network-centric tools cannot access.
Endpoint Detection
Endpoint Detection and Response (EDR) tools monitor workstations and servers for malicious activity. They excel at detecting lateral movement techniques like Pass-the-Hash, credential dumping, and remote execution.
But when lateral movement is API-based, attackers never touch endpoints. The entire attack chain executes in the cloud through API calls. No malware runs on user workstations. No suspicious processes spawn on servers. The EDR agent has nothing to detect because the attack occurs entirely outside the endpoint layer.
Attackers moving between SaaS apps through OAuth tokens and API credentials operate in a space EDR cannot see.
SIEM Limitations
Security Information and Event Management (SIEM) platforms ingest logs from various sources to detect attacks. In theory, a SIEM could detect SaaS lateral movement by analyzing authentication logs and API activity.
In practice, several limitations prevent effective detection:
Lack of SaaS-specific context: SIEMs struggle to understand the relationships between SaaS applications. They see authentication events in isolation but cannot correlate activity across different platforms to identify lateral movement patterns.
Focus on authentication, not post-auth activity: Traditional SIEM rules focus on authentication anomalies (impossible travel, unusual login times). SaaS lateral movement often uses valid OAuth tokens that bypass authentication entirely. The SIEM sees no authentication event because the token represents an already-authenticated session.
Volume and noise: SaaS environments generate massive volumes of API logs. Without behavioral baselines specific to each integration, distinguishing malicious lateral movement from legitimate integration activity becomes impossible. The signal drowns in noise.
Static point-in-time data: SIEMs capture logs at the moment they're generated but lack understanding of the changing relationships between SaaS applications. They cannot answer questions like "which integrations have access to this data?" or "if this app is compromised, what's the blast radius?"
CASB Blind Spots
Cloud Access Security Brokers (CASB) monitor user-to-cloud traffic, typically through inline proxies or API connections. They provide visibility into user activity within SaaS applications and can enforce policies on data movement.
However, CASBs have a critical blind spot: they miss backend SaaS-to-SaaS API communication. When a CASB operates in proxy mode, it sees traffic flowing from users through the proxy to cloud applications. It does not see direct API calls between cloud applications.
Lateral movement between cloud apps is invisible to CASB solutions because that traffic never passes through the proxy. The attacker uses stolen OAuth tokens to make direct API calls from one cloud service to another. The CASB, positioned to monitor user activity, sees nothing.
Even API-based CASBs struggle with this challenge because they typically connect to individual applications in isolation. They lack the cross-platform correlation needed to track lateral movement across multiple SaaS applications.
Detecting Lateral Movement in SaaS
Effective detection of SaaS lateral movement requires a fundamentally different approach than traditional network-based detection. IR and SecOps teams need visibility into the hidden layer between SaaS applications and the ability to correlate activity across multiple platforms.
Monitor Cross-Application Activity Patterns
Detection begins with understanding which integrations access which data under normal circumstances. Establish baselines for each integration's typical behavior:
● Which API endpoints does this integration call?
● What volume of data does it typically access?
● When does it normally operate?
● Which data types does it query?
Once baselines exist, alert on anomalies that indicate potential lateral movement:
● Sudden spikes in API volume: An integration that normally queries 100 records per day suddenly requests 10,000 records
● New access patterns: An integration begins calling API endpoints it has never accessed before
● Unusual timing: An integration that typically operates during business hours shows activity at 3 AM
● Data exfiltration indicators: Large-scale export operations or bulk download requests
These behavioral anomalies often represent the discovery and pivoting phases of lateral movement, where attackers enumerate the environment and extract data.
Correlate Identity Across SaaS Platforms
Traditional security tools analyze activity within individual applications. Detecting lateral movement requires connecting activity in App A to the same identity's activity in App B.
Build correlation capabilities that:
● Track the same OAuth token across multiple applications: When an attacker uses a stolen token to access connected apps, correlate those access events to identify the lateral movement pattern
● Connect service account activity across platforms: If a service account shows suspicious behavior in one application, immediately investigate its activity in all connected applications
● Map blast radius when credentials are compromised: When one credential is compromised, instantly identify every application and integration that credential can access
This cross-platform correlation transforms isolated security events into a coherent picture of attacker movement through your SaaS ecosystem.
Behavioral Analytics for API Traffic
API traffic analysis requires sophisticated behavioral analytics that understand normal versus anomalous behavior for each integration and service account.
Establish behavioral baselines that include:
● Normal IP ranges and ASNs: Where does this integration typically operate from?
● Expected User-Agent strings: What client software normally uses this API key?
● Typical data access patterns: What queries and operations are normal for this integration?
● Standard operational hours: When does this service account normally operate?
Alert on deviations that indicate credential theft or token abuse:
● ASN deviation: An OAuth token normally used from AWS infrastructure suddenly appears from a residential proxy network
● User-Agent attribution anomalies: An API key normally used by a specific integration client appears with a different User-Agent string
● Unusual data volumes: Sudden spikes in data access that exceed normal patterns
● New API calls: The integration begins calling endpoints it has never accessed
These behavioral signals often provide the earliest indication of lateral movement in progress.
Track OAuth Token and API Key Usage
Implement monitoring specifically focused on how and where tokens are being used:
● Geographic anomalies: Token used from unexpected countries or regions
● Infrastructure anomalies: Token normally used from SaaS provider infrastructure appears from different cloud provider or residential IP
● Token replay detection: Same token used simultaneously from multiple locations
● Refresh token abuse: Refresh tokens used to generate new access tokens after the original user session has ended
Flag tokens used from unexpected locations or infrastructure as high-priority alerts. When an OAuth token authorized from your corporate network suddenly appears in API requests from a foreign IP address, that's a strong indicator of token theft and potential lateral movement.
Detection of these patterns requires understanding the normal operational context for each token and the ability to correlate token usage across multiple applications and time periods.
For organizations implementing AI security across SaaS, these detection principles apply equally to AI agent credentials and human user tokens.
Preventing Lateral Movement in SaaS
While detection is critical, prevention reduces the attack surface and limits the blast radius when breaches occur.
Reduce the Attack Surface
The most effective prevention strategy: eliminate unnecessary integrations that create lateral movement pathways.
Audit all integrations: Conduct comprehensive reviews of every OAuth connection, API key, service account, and webhook in your SaaS environment. Many organizations discover hundreds of integrations they didn't know existed.
Identify toxic combinations: Focus on stale integrations with broad access: the abandoned marketing tool that still has admin permissions to your CRM, the proof-of-concept integration that never got deprovisioned but retains write access to production data.
Remove unnecessary connections: Every integration represents a potential lateral movement pathway. If the business value doesn't justify the risk, revoke the connection.
According to Obsidian's data, the average enterprise has 30-40% more active integrations than their IT and security teams can identify through manual audits. These unknown integrations represent blind spots where attackers operate.
Enforce least privilege by segmenting SaaS Access
Implement governance policies that limit which applications can connect to which other applications:
● Prevent low-trust apps from accessing high-value data: Marketing automation tools don't need write access to financial systems
● Enforce approval workflows: Require security review before integrations can access sensitive applications
● Implement tiered access controls: Classify applications by sensitivity and restrict which apps can integrate with each tier
This segmentation creates barriers that limit lateral movement. Even if attackers compromise a low-security application, they cannot pivot to high-value targets if those connections are blocked by policy.
Implement Token Lifecycle Management
Reduce the window of opportunity for lateral movement by managing token lifespans:
● Shorten token lifespans: Limit how long OAuth tokens remain valid
● Revoke tokens when employees leave: Ensure departing employees' authorized integrations are deprovisioned
● Rotate API credentials regularly: Implement automated rotation for service account credentials and API keys
● Monitor refresh token usage: Track when and where refresh tokens generate new access tokens
Token lifecycle management ensures that even if credentials are stolen, they expire quickly, limiting the attacker's ability to maintain persistent access for lateral movement.
Enable Rapid Response
When lateral movement is detected, response speed determines the blast radius. Prepare for rapid containment:
● Pre-map integration chains: Understand the topology of your SaaS ecosystem before an incident occurs. Know which apps connect to which other apps.
● Build playbooks for token revocation: Document the process for revoking OAuth tokens across affected applications. Practice these procedures.
● Practice incident response: Conduct tabletop exercises specifically focused on SaaS-to-SaaS breaches and lateral movement scenarios
● Automate where possible: Implement automated workflows that can rapidly revoke suspicious tokens when anomalies are detected
The Salesloft-Drift incident demonstrated how quickly lateral movement can spread through integration chains. Organizations that had pre-mapped their integration topology and practiced token revocation procedures contained the breach faster than those who had to discover their integration landscape during the incident.
How Obsidian Security Detects SaaS Lateral Movement
Obsidian Security provides the cross-platform visibility and behavioral analytics required to detect and respond to SaaS lateral movement.
Unified visibility across core SaaS applications: Obsidian connects to your critical SaaS platforms (Microsoft 365, Google Workspace, Salesforce, Workday, ServiceNow, Slack, and others) to provide a single pane of glass view of your entire SaaS ecosystem. This eliminates the blind spots that enable undetected lateral movement.
Knowledge Graph maps integration chains and data flows: Obsidian's Knowledge Graph technology maps the relationships between your SaaS applications, showing which apps connect to which other apps, what permissions those integrations possess, and how data flows through your environment. This topology mapping enables blast radius analysis and identifies the integration chains that attackers could exploit for lateral movement.
Behavioral analytics detect anomalous cross-app activity: Machine learning models establish baselines for normal behavior for each integration, service account, and OAuth token. The system alerts on deviations that indicate potential lateral movement: unusual API volumes, unexpected data access patterns, ASN deviations, and User-Agent anomalies.
Correlates identity across platforms to track attacker movement: When suspicious activity occurs in one application, Obsidian automatically investigates that same identity's activity across all connected platforms. This cross-platform correlation reveals lateral movement patterns that would remain invisible when analyzing applications in isolation.
Breach impact analysis: When one application is compromised or a vendor breach notification arrives, Obsidian instantly identifies which connected applications are at risk. The platform answers the critical IR question: "If this app is compromised, what can the attacker access?"
Risk scoring prioritizes integrations that enable lateral movement: Not all integrations pose equal risk. Obsidian identifies and prioritizes the toxic combinations: stale integrations with overprivileged permissions that create high-risk lateral movement pathways. This enables security teams to focus remediation efforts where they'll have the greatest impact.
By providing the visibility, correlation, and behavioral analytics that traditional tools lack, Obsidian enables IR and SecOps teams to detect SaaS lateral movement that would otherwise go unnoticed until data exfiltration or business disruption occurs.
Conclusion
Lateral movement has fundamentally evolved. Attackers no longer need to pivot between network segments or escalate privileges on compromised servers. They move through trusted SaaS connections, using legitimate OAuth tokens and API credentials to traverse your cloud ecosystem at API speed.
This evolution creates a critical challenge for IR and SecOps teams: traditional detection tools built for network-based lateral movement have zero visibility into SaaS-to-SaaS attacks. Your EDR monitors endpoints the attacker never touches. Your NDR watches network traffic the attack never generates. Your SIEM ingests authentication logs for sessions that bypass authentication entirely.
Real-world incidents like Salesloft-Drift, CircleCI, and SolarWinds demonstrate the devastating potential of SaaS lateral movement. A single compromised integration can provide access to hundreds of downstream customer environments. A stolen service account credential can enable privilege escalation across your entire SaaS ecosystem.
Detection requires a fundamentally different approach: cross-platform visibility that maps integration chains, behavioral analytics that establish baselines for each OAuth token and API key, and correlation capabilities that track identity across multiple SaaS platforms. Without these capabilities, lateral movement remains invisible until the breach is discovered through data exfiltration or business disruption.
Prevention focuses on reducing the attack surface: eliminate unnecessary integrations, enforce least privilege on OAuth scopes, implement token lifecycle management, and segment access to prevent low-trust applications from connecting to high-value data.
For IR and SecOps teams, the operational reality is clear: you cannot secure what you cannot see. The hidden layer between your SaaS applications represents the attack surface where modern threats operate. Closing this visibility gap requires purpose-built solutions that understand SaaS-to-SaaS relationships and can detect the behavioral anomalies that indicate lateral movement in progress.
The attackers have already adapted to the SaaS-first enterprise architecture. Detection and response capabilities must evolve to match.
