By
In 2024, we witnessed a significant evolution in SaaS-based TTPs, which enabled bad actors to bypass traditional entry points, exploit SaaS misconfigurations and identity systems, and compromise sensitive data faster and more efficiently than ever before.
In this post, we’ll explore the most impactful SaaS security incidents of 2024, examine the expanding SaaS attack surface, and share insights from industry experts on what 2025 holds. From the rising role of AI in attacks to the critical need for Zero Trust and identity management, our experts make it clear: Bad actors are instigating widespread attacks across large enterprises by first gaining a foothold into SaaS applications. This requires that organizations rethink and strengthen their security strategies to stay ahead.
2024 Incident Highlights: What We Learned
Several high-profile incidents in 2024 exemplified the risks associated with SaaS applications:
Midnight Blizzard targets Microsoft
Russian nation-state attackers used compromised credentials to gain access to Microsoft’s internal systems. The attack centered around a legacy OAuth app with high-level permissions, granting attackers access to Microsoft 365 environments and exfiltrating senior executives’ emails.
Cloudflare-Atlassian Breach
Attackers used OAuth tokens from a previous breach to infiltrate Cloudflare’s Atlassian instance, accessing internal code repositories and exfiltrating sensitive source code related to operational technologies.
Snowflake and ServiceNow Breaches
Both Snowflake and ServiceNow were targeted in credential-based attacks. These breaches highlighted how misconfigurations in single sign-on (SSO) enforcement, IP restrictions, and dormant accounts opened the door for attackers to exploit sensitive data.
Each of these incidents underscores a key point: Attackers don’t need to breach your network if they can simply walk through the front door using stolen credentials. To protect sensitive customer and proprietary data, organizations must address the risk that SaaS misconfigurations pose to their environments.
The Attack Surface Has Shifted—and It’s Bigger Than Ever
The last two years have seen a major expansion of the attack surface. Organizations now manage dozens, if not hundreds, of SaaS apps, each with its own security settings, identity systems, and vulnerabilities. As businesses move away from on-premises models to cloud-based applications, the perimeter dissolves, leaving companies reliant on remote access and third-party integrations to manage critical operations.
Attackers have evolved alongside this shift in technology. Traditional security models that focused on perimeter defense and endpoint protection are no longer enough. Today’s attackers are bypassing these controls and using SaaS as entry points, where identity misconfigurations, overly permissive access controls, and application programming interface (API) vulnerabilities leave organizations exposed.
To complicate matters, advancements in AI have given attackers new tools to exploit SaaS vulnerabilities at scale, making proactive and AI-driven security essential. Threat actors recognize these vulnerabilities and continue to refine their methods.
Brian Soby, CTO and Co-Founder, AppOmni: “In 2024, business was disrupted by costly SaaS ‘bypass’ breaches that circumvented their IAM and ZT controls. 2025 will bring awareness to end-to-end controls needed for SaaS with tight interdependencies between ZT [zero trust], identity, SaaS posture, and detection and response capabilities.”
Vishal Chawla, Founder & CEO, BluOcean Cyber: “In today’s enterprises, SaaS applications drive mission-critical business processes like finance, HR, supply chain, CRM etc. Yet, the security paradigm often lags, relying on reactive measures like third-party audits instead of proactive, comprehensive SaaS governance. This leaves businesses exposed to operational shutdowns, financial losses, and reputational damage. The issue isn’t just credentials or misconfigurations; it’s the lack of visibility, real-time threat detection, and the inability to block threats before damage occurs. Delays in addressing SaaS security issues are becoming very costly; waiting for remediation means letting your business bleed. Immediate, automated responses must replace slow, manual fixes. True resilience comes from seamlessly integrating SaaS security into enterprise workflows—ensuring threats are neutralized before they take hold!”
Modern Kill Chains in SaaS: The New Normal
A key takeaway from 2024 is the rise of modern kill chains targeting SaaS applications. These attacks don’t follow the traditional MITRE ATT&CK® framework. Instead, they skip over several stages, such as persistence and command and control, thanks to the easy accessibility of SaaS environments.
In 2024, attackers demonstrated how they’ve streamlined their techniques to quickly move from initial access to data exfiltration. Methods like credential stuffing, password spraying, and exploiting API keys have become common, enabling attackers to bypass identity providers (IdPs) and gain direct access to SaaS services. In many cases, privilege escalation becomes unnecessary, as attackers can exfiltrate valuable data almost immediately after gaining access.
AppOmni’s research and ongoing threat monitoring provide a detailed look into how these attacks unfold, revealing the common tactics, techniques, and procedures (TTPs) used by attackers in SaaS environments:
- Initial access: Attackers exploit credentials through phishing, SIM swapping (which targets mobile phones), and credential stuffing.
- Access SaaS environments: Once inside, they manipulate configurations and escalate privileges, often through OAuth or API vulnerabilities.
- Data exfiltration: Attackers stage data for exfiltration via cloud services, bypassing traditional security measures such as endpoint detection.
The Rise of AI-Driven Attacks in SaaS
In 2024, attackers increasingly turned to AI tools to automate and refine their attacks on SaaS environments. Leveraging AI’s ability to generate custom scripts and automate exploitation methods, threat actors found new ways to bypass traditional defenses.
Justin Blackburn, Sr. Cloud Threat Detection Engineer, AppOmni: “SaaS applications are likely to continue to face increasingly sophisticated threats as adversaries exploit advancements in technology – especially AI. AI will enable threat actors to more easily uncover SaaS vulnerabilities and misconfigurations, bypass traditional security measures, and craft more convincing phishing campaigns. As AI becomes more capable and accessible, the barrier to entry for less skilled attackers will become lower, while also accelerating the speed at which attacks can be carried out. Additionally, the emergence of AI-powered bots will enable threat actors to execute large-scale attacks with minimal effort. Armed with these AI-powered tools, even less capable adversaries may be able to gain unauthorized access to sensitive data and disrupt services on a scale previously only seen by more sophisticated, well-funded attackers.”
As Joseph Thacker, AppOmni’s Principal AI Engineer, noted, generative AI is reshaping SaaS security. By creating adaptive scripts and automating complex threat patterns, attackers can now exploit SaaS misconfigurations at unprecedented speed, leaving security teams struggling to keep up. Common tactics include AI-assisted credential stuffing, API key exploitation, and generating adaptive scripts to evade detection across different identity providers.
Martin Vigo, Lead Offensive Security Engineer, AppOmni: “Automation-driven perimeter breaches will remain prevalent in 2025, with large-scale reconnaissance, password spraying, and AI-powered phishing automation among the leading tactics. As SaaS platforms increasingly fall within the scope of these attacks, the potential impact of breaches will continue to escalate significantly. Enterprises must anticipate automated attacks by securing all internet-exposed resources. Today’s attackers no longer selectively target; instead, they pursue any organization lacking a robust security posture.”
These AI-driven approaches enable attackers to accelerate the kill chain, moving from initial access to data exfiltration in record time. This shift has pushed organizations to adopt a new defensive approach, integrating AI into security tools to monitor and counteract AI-driven attacks in real time.
2025 Predictions: What’s Next for SaaS Security?
As we head into 2025, the threat landscape will continue to evolve. Here are key predictions from our experts:
1. SaaS-based attacks will continue to rise
We expect nation-state actors and organized crime groups to ramp up attacks on SaaS environments. Often under-monitored, these platforms present vulnerabilities that can lead to widespread data breaches. Supply chain attacks on SaaS, especially through compromised third-party applications, highlight the importance of scrutinizing integrations and enforcing access restrictions to minimize risks.
Aaron Costello, Chief of SaaS Security Research, AppOmni: “The past few years, we’ve seen a steady uptick in supply-chain attacks on SaaS through compromised third-party applications. As a result, organisations are placing these integrations and their requested access levels under far more scrutiny. On the contrary, my research into data exposures has shown that often, no initial foothold needs to be gained in order for threat actors to gain access to the sensitive data that they want. The combination of undocumented legacy API endpoints, over-privileged public access, and gaps in vendor logging capabilities will continue to provide a dangerously effective option for threat actors to execute hit-and-run style attacks in the future.”
2. Zero Trust will become non-negotiable
More organizations will adopt zero trust platforms to mitigate the risk of lateral movement within SaaS applications. Zero Trust Posture Management (ZTPM) solutions such as AppOmni’s will help organizations enforce least-privilege access and proactively detect misconfigurations before they are exploited. Because Zero Trust proactively ensures that misconfigurations are addressed early and consequently reduces the risk of potential breaches, implementing this technology will become a standard practice in SaaS environments.
Lennart van den Ende, VP, Product Management, Security Business Group at Cisco: “With the increase in stolen credentials and damaging breaches such as those involving Snowflake databases, enforcing least privilege controls and the ability to detect and respond quickly to anomalous activities will be necessary to secure enterprise SaaS. More enterprises will find the need to close the last mile gap in securing SaaS applications by extending Zero Trust controls to SaaS apps.
Enterprise will look to complement SSE capabilities with ‘never trust, always verify’ controls into SaaS apps by actively ensuring that misconfigurations are addressed before they are exploited and reducing the potential of data breaches.”
3. Identity management will be the key battleground
With 2024 showing the dangers of compromised credentials, 2025 will be the year when identity management takes center stage. Identity management—including practices such as continuous monitoring of OAuth permissions, SSO enforcement, and credential hygiene—will play a critical role in 2025 as organizations face the ongoing threat of compromised credentials.
4. Organizations will continue to leverage SaaS security solutions to protect their data
As SaaS security tools become standard, organizations will increasingly rely on them to maintain proactive configuration management and safeguard SaaS environments. Continuous monitoring will be necessary to meet the demands of today’s dynamic threat landscape. With breaches like those at Snowflake and ServiceNow making headlines, SaaS security solutions will become a core part of every organization’s security stack.
Aaron Costello, Chief of SaaS Security Research, AppOmni: “Undocumented legacy API endpoints, over-privileged public access, and gaps in vendor logging capabilities will continue to provide a dangerously effective option for threat actors to execute hit-and-run style attacks in the future.”
Matt Finn, Information Security Director, DLA Piper: “The focus for 2025 won’t solely be about meeting compliance requirements, but also ensuring customers’ trust and operational resiliency. I foresee a stronger push for solutions that provide better visibility, control, and protection against third-party risks. Legal firms will need ongoing alignment among IT, security, and legal teams to create stronger governance and foster a culture of security awareness. Organizations that embrace a proactive approach to SaaS security will be better positioned to adapt to future challenges and maintain their competitive edge.”
5. AI governance and defense integration
As hackers continue to leverage AI, 2025 is expected to bring a stronger emphasis on AI governance and proactive defense measures. AI-driven security tools, capable of identifying and mitigating AI-based exploits, will become essential for SaaS security. Additionally, governance frameworks for responsible AI usage will be crucial in curbing the misuse of AI in cyberattacks. Organizations that integrate AI governance directly into their security posture will be better equipped to defend against increasingly sophisticated AI-enabled threats.
Justin Blackburn, Senior Cloud Threat Detection Engineer, AppOmni: “As AI becomes more capable and accessible, the barrier to entry for less skilled attackers will become lower, while also accelerating the speed at which attacks can be carried out. Additionally, the emergence of AI-powered bots will enable threat actors to execute large-scale attacks with minimal effort.”
Securing the Future of Cybersecurity
The rise of SaaS applications has opened up new possibilities for businesses—and new risks. Lessons from 2024 reveal how attackers continue to evolve, exploit misconfigurations, leverage stolen credentials to infiltrate critical systems, and abuse AI. Staying ahead of these threats requires continuous monitoring, proactive identity management, and strategies to continually enforce a robust SaaS security posture.
With the right tools and strategies in place, organizations can break the kill chain before attackers ever gain a foothold. As we look to 2025, it’s clear that those who invest in SaaS security will be the ones who thrive in the ever-changing digital landscape.
The State of SaaS
Security 2024 ReportDiscover the latest SaaS security trends and challenges in our second annual State of SaaS Security Report.