🗞️ UNC6040 & UNC6395 target SaaS. Learn why this is happening and how to disrupt their attacks.

Mapping TTPs to SaaS Supply Chain Attacks: Recent SaaS Breaches

By

Amy Tierney, Sr. Product Marketing Manager, AppOmni

If you’re still thinking of SaaS supply chain attacks as tomorrow’s problem, think again. The biggest breaches in the last year didn’t start with malware. They started when attackers exploited gaps hidden deep inside SaaS supply chains. Credential theft, OAuth token abuse, and risky integrations have become the new frontlines. 

Groups like UNC6395 and UNC6040 aren’t just targeting the SaaS apps you use; they’re mapping out your entire SaaS supply chain and using MITRE ATT&CK techniques to break in. If you can’t see these connections in real time, you’re not just behind, you’re at risk.

Campaigns from these threat actors show how adversaries exploit weaknesses in these connections. By applying familiar tactics from the MITRE ATT&CK framework inside SaaS platforms, they’ve turned the SaaS supply chain into one of today’s fastest-growing visibility gaps.

How prepared is your organization to defend the Saas supply chain? The answer often comes down to depth: whether you can see beyond surface-level posture checks to the exact tokens, integrations, and objects attackers exploit once inside.

UNC6395, UNC6040, and Scattered Spider TTPs: MITRE ATT&CK

The MITRE ATT&CK framework is a proven way to categorize attacker techniques: phishing, OAuth token abuse, privilege escalation, lateral movement, and exfiltration, among others. When mapped against SaaS-specific incidents, it’s clear that nearly every stage of the attack chain can play out entirely within SaaS applications. This makes familiar techniques harder to recognize without depth of visibility into SaaS environments. 

Figure 1: SaaS attacks mapped to MITRE ATT&CK show familiar techniques in a new context.

Activity from threat group UNC6040 demonstrated this clearly: attackers reuse familiar techniques inside SaaS, which makes them far harder to spot with endpoint or network tools alone.

Why depth is the differentiator 

Most SaaS security messaging sounds similar: visibility, posture management, detection. But what those terms rarely capture is depth. That means the ability to connect a user to the exact tokens, integrations, and objects they can access.

To stop adversaries, defenders must go deeper than initial checks. Depth means being able to connect the dots between a user, the OAuth tokens they hold, and the integrations they’ve connected. It’s the difference between knowing that MFA is enabled and knowing whether a specific token bypasses MFA entirely, or whether an integration quietly grants admin-level access. Without that level of clarity, critical TTPs remain invisible. The real question is: Do your current tools let you see that deep?

A case study: UNC6395’s Salesforce intrusion

In the Salesloft-Drift Salesforce incident, threat actor group UNC6395 abused compromised OAuth tokens to access sensitive Salesforce objects. Using the permissions granted through the trusted integration, the group systematically queried and exfiltrated large volumes of data, which included credentials and business records.

The attack succeeded not because defenders lacked visibility, but because they lacked depth. Surface-level monitoring showed authentication was enabled and integrations were active. Depth of visibility would have revealed which specific tokens unlocked high-value objects, exposing the attack paths earlier.

This demonstrates why monitoring SaaS access paths is critical to defending the SaaS supply chain.

Lessons from MITRE mapping

The MITRE ATT&CK framework was created to document how attackers operate, but its value for SaaS defenders lies in how it exposes visibility gaps. Each tactic highlights not only what adversaries do, but also what defenders need to look for inside SaaS platforms. Traditional tools monitor endpoints and networks, but SaaS requires a different lens. It needs depth of visibility into users, tokens, integrations, and objects.

For security practitioners, this means mapping SaaS-specific signals to each stage of ATT&CK. Instead of asking, “Do we have MFA enabled?”, the better question is, “Can we see when MFA is bypassed or disabled on a specific account?” Instead of asking, “Do we log API calls?” the question becomes, “Can we distinguish routine API use from attacker abuse?” 

With SaaS, depth of visibility turns ATT&CK into a defensive map. Here’s what practitioners should watch for across each stage of the kill chain:

Initial access

Attackers look for weak points in authentication to get a foothold. This often means exploiting OAuth token grants, misconfigured authentication flows, or risky integrations. In SaaS supply chains, compromised tokens can be just as powerful as stolen credentials, providing direct entry into sensitive applications. Practitioners should monitor for unusual OAuth grants, especially those with broad scopes or tied to risky integrations, and validate whether MFA is enforced during token issuance and recognize that once issued, OAuth tokens bypass MFA until expiration or revocation.

Execution 

Execution in SaaS rarely looks like malware. Instead, attackers abuse APIs and built-in automations to carry out malicious actions. Practitioners should baseline normal API usage and watch for unusual command activity that blends into routine business processes.

Persistence 

Once inside, attackers aim to stay there. In SaaS, persistence often comes from manipulating authentication processes, adding new tokens, or tampering with MFA enforcement. Practitioners should monitor for suspicious additions of MFA methods, sudden MFA removal from compromised accounts, and unexpected creation of new users or service accounts that could serve as backdoors. Surface checks may show that MFA is enabled or that new users were added through normal processes.

Privilege escalation

With persistence secured, attackers often seek more control. In SaaS, that might mean changing role assignments, expanding OAuth token scopes, or exploiting misconfigurations to gain administrative rights. They may also create new users with elevated privileges, sometimes in connected systems to ensure ongoing access with broader authority. Security practitioners should monitor for shifts in roles or scopes that don’t align with normal user behavior.

Defense evasion

Attackers in SaaS environments often hide in plain sight. They may rely on legitimate tokens, APIs, or background processes to make malicious activity look like normal system behavior. Some advanced groups also use residential proxies to disguise traffic and avoid triggering alerts tied to suspicious IP ranges. Practitioners should look for subtle deviations, such as tokens used at unusual times, impossible travel activity where a user appears in two distant locations within minutes, or logins from IPs inconsistent with known user behavior.

Lateral movement 

Integrations make SaaS powerful, but also give attackers pathways to move quietly between applications. This “integration sprawl” allows them to pivot from one app to another without raising alarms. Practitioners should monitor for unexpected cross-application access, especially where integrations suddenly expand their permissions.

Collection 

Once attackers have access, the next step is gathering information. This often involves querying sensitive records, pulling large datasets, or staging data for extraction. Security practitioners should baseline normal reporting activity and flag deviations, such as new users running bulk data queries.

Exfiltration

The final phase is getting the stolen data out. Exfiltration often takes the form of bulk downloads, syncing large sets of records, or connecting new repositories for export. Because this transfer uses legitimate APIs, practitioners need depth of visibility into object-level access patterns to catch anomalies before the data is gone.

Surface-level isn’t enough to stop SaaS supply chain threats. Depth of visibility into tokens, integrations, and objects is what allows practitioners to break the kill chain before attackers achieve their objectives.

The gaps that matter most in SaaS

An important step in defending against SaaS security threats is knowing which questions to ask of your own environment. The reality is that without clarity in these areas, it is almost impossible to gauge your true exposure or respond effectively when attackers strike.

  • Access: Can you map a user’s effective access down to the specific objects, tokens, and integrations they touch? Without this, you cannot measure the real blast radius if that account is compromised.
  • Authentication changes: Do you monitor changes in authentication flows, MFA enforcement, and OAuth scopes? These are rarely static, and attackers often exploit drift to escalate privileges or bypass safeguards.
  • Data movement: Can you detect abnormal patterns quickly enough to stop exfiltration? Once bulk downloads or unauthorized syncs are complete, the damage is already done.

These questions represent the core of SaaS security maturity. They often make the difference between stopping an intrusion early or learning about it from a headline.

Moving from SaaS awareness to security action

Most organizations don’t lack awareness of SaaS risks. What they lack is depth of coverage inside the platforms themselves. Visibility and posture at a high level are not enough. True protection comes from enforcing policies and detecting threats where they actually occur: inside the SaaS layer.

Taking action means going beyond posture checks to continuously monitor token activity, audit integration permissions, and detect unusual data movement before it becomes exfiltration. The longer organizations stay at the awareness stage, the more time attackers have to exploit visibility gaps that go unnoticed.

Specialized SaaS security platforms provide the policies and detections organizations need to stop attacker techniques before they succeed.

Making MITRE ATT&CK actionable in SaaS security 

The MITRE ATT&CK mapping of Salesforce-related incidents makes one thing clear: Attackers already know how to exploit SaaS systems to their advantage. They are not inventing entirely new methods, but reapplying proven tactics in the SaaS supply chain where many organizations have limited visibility.

Everyone talks about visibility and posture. But as the mapping shows, unless you can enforce policies and detect threats at the object and integration level, entire portions of the framework remain undefended.

SaaS security platforms address this by focusing on where attacks actually unfold: at the level of objects, tokens, and integrations. The question is whether your organization can engage those controls before attackers convert them into advantages. In the end, depth is the differentiator. It’s the difference between seeing that controls exist and knowing how they stand up when attackers test them.

Protecting the SaaS supply chain starts with awareness of how attackers operate and where visibility gaps exist. Learn more about the recent breaches in our webinar.