SaaS Alerts Releases 4th Annual SaaS Application Security Insights (SASI) Report

Report Shows Continued Low Adoption of MFA and Identifies Threat Vectors to Watch in 2024

ALLENTOWN, PA — March 6, 2024 — SaaS Alerts, a cybersecurity company delivering an automated software-as-a-service (SaaS) security platform designed to detect and stop unauthorized activity in customer SaaS applications, today announced the findings of its latest SaaS Application Security Insights (SASI) Report that shows there is massive opportunity for MSPs to help their small and mid-market business clients.  

The 2024 SASI report analyzed SaaS application security records of more than 18,000 SMBs and nearly 2 million end-user accounts last year. According to the report, SaaS security experts described a year of evolving cybersecurity threats where hackers concentrated on brute-force attacks, as well as developed new, more efficient techniques for breaching systems, such as token hijacking, PhaaS, and IP address localization.

Most alarming is the continued low adoption of multi-factor authentication (MFA) among MSPs’ customers. Among the end-user accounts included in the 2024 report, only 35% enabled MFA, a slight 3% increase over the findings in the 2023 SASI Report. This threat is exacerbated by the fact that more users are using OAuth to log into other SaaS applications with their same Microsoft 365 or Google Workspace credentials. 

The report also revealed a 75% increase in guest user accounts. Guest users accounts are created on the fly when sharing documents externally and are often left dormant and unmonitored. Because most guest user accounts are granted the same permissions as internal staff accounts, companies increase their exposure to data breaches and exfiltration. 

“There’s a promise of greater IT budgets and increased use of cloud applications in 2024, which is great news for MSPs. But it’s also a gift for cybercriminals who see the potential for broader and more unsecured attack surfaces,” said Jim Lippie, co-founder and CEO of SaaS Alerts. “The rules are changing, and MSPs need to keep up. To protect their customers in this new environment, they’ll need greater visibility into user behavior, login and geolocation data, and potential weak points.”

Global Sources Continue to Dominate Threats

Attempted unauthorized logins continue to rise in China, India, South Korea, Brazil, and Russia, accounting for 57% of the attempted intrusions last year combined. As U.S.-China tensions escalate, cyberattacks will likely follow.  

While many of these attempted attacks are geared toward industrial espionage, China is also ramping up attacks on U.S. infrastructure networks. Similar efforts from Russia are also expected to increase.

Microsoft 365 and Google Workspace were the most widely-used SaaS applications in the dataset, so they naturally were the most active sources of critical alerts last year. However, only about 1% of alerts from M365 and Google required immediate attention. Meanwhile, Slack was more problematic, with 12% of related alerts identified as critical. That was an almost nine-point jump from Slack’s critical alerts ratio of 3.77% last year.

SaaS Alerts’ research has shown that attack tools have been actively created for over 50 distinct SaaS applications, including both business and consumer applications. “The increase in SaaS applications being targeted should serve as a warning to MSPs,” said Lippie. “When it comes to protecting your clients, SaaS security needs to move beyond M365 and Google.”

In 2023, SaaS Alerts monitored more than 2.5 billion SaaS events. Most of those events (97.5%) were low severity, leaving more than 60 million medium-severity and critical events to address. The most common high-severity threats included successful logins from outside approved locations, and files opened or downloaded outside an approved location. 

“Alerts warn MSPs that something is happening that needs attention. When stacked together, they are indicators of compromise. Without proper monitoring in place, breaches can go undetected for months,” said Lippie. “SaaS Alerts stopped nearly 7,900 potential breaches last year using our automated Respond module. With Respond, bad actors can be blocked within five to 15 minutes of receiving data from Microsoft.”

Hackers Changing Tactics

In addition to traditional brute-force attacks, the report warns MSPs to be prepared for increased attacks with these methods: 

• PhaaS, where hackers provide a list of email addresses with messages and logos of the companies they’re trying to impersonate to a PhaaS platform. The hacking software sets up a virtual server and runs the hack on autopilot. The program then sends back the stolen credentials. 
• Token hijacking, which allows hackers to bypass MFA and Conditional Access, happens when bad actors set up a server between the end-user’s login screen and the SaaS service being logged into, such as M365, and allows them to intercept a user’s access token to then access the end-user’s account.
• IP address localization allows hackers to get around geolocation fencing by localizing their IP addresses to bypass foreign login flags. 

To protect themselves and their customers from these attacks, MSPs should continue regular education to help customers identify potential threats and proactively monitor accounts for suspicious activities before they lead to extensive data exfiltration or loss. Other steps recommended in the report include:

• Enable and enforce MFA, both internally and with all clients.
• Track file-sharing activity to identify data exfiltration and internal threats.
• Store and regularly review historical user-behavior data, even if it didn’t lead to a breach.
• Promptly investigate and respond to unusual user behavior that presents a potential threat.
• Monitor OAuth logins and don’t ignore other SaaS applications just because they’re not Microsoft or Google

For more insights and recommendations, the 2024 SASI Report is free to download. 

About SaaS Alerts

SaaS Alerts is a cybersecurity platform for managed service providers (MSPs) to detect and automate the remediation of SaaS security threats. The platform provides unified, real-time monitoring of core business SaaS applications to protect against data theft and malicious actors, including Microsoft 365, Google Workspace, Salesforce, Slack and Dropbox. 

SaaS Alerts uses machine learning pattern detection to identify breaches, create instant alerts, and lock affected accounts, providing MSPs with valuable time to respond before further damage can occur. It also enables users to terminate dangerous end-user file sharing activities and automate essential security tasks, enhancing efficiency and overall customer security. Learn more at www.saasalerts.com.