Video analytics
Summary is AI-generated, newsdesk-reviewed
  • MSPs urged to increase MFA adoption amid growing SaaS security threats in 2024.
  • Guest user accounts rise by 75%, posing increased data breach risks for companies.
  • China and Russia escalate cyberattacks on U.S. infrastructure, targeting SaaS applications.
Related Links

SaaS Alerts, a cybersecurity company delivering an automated software-as-a-service (SaaS) security platform designed to detect and stop unauthorized activity in customer SaaS applications, announced the findings of its latest SaaS Application Security Insights (SASI) Report that shows there is a massive opportunity for MSPs to help their small and mid-market business clients.  

The 2024 SASI report analyzed SaaS application security records of more than 18,000 SMBs and nearly two million end-user accounts last year. According to the report, SaaS security experts described a year of evolving cybersecurity threats where hackers concentrated on brute-force attacks, as well as developed new, more efficient techniques for breaching systems, such as token hijacking, PhaaS, and IP address localization.

Findings in the 2023 SASI Report

Most alarming is the continued low adoption of MFA among MSPs’ clients

Most alarming is the continued low adoption of multi-factor authentication (MFA) among MSPs’ customers. Among the end-user accounts included in the 2024 report, only 35% enabled MFA, a slight 3% increase over the findings in the 2023 SASI Report. This threat is exacerbated by the fact that more users are using OAuth to log into other SaaS applications with their same Microsoft 365 or Google Workspace credentials. 

The report also revealed a 75% increase in guest user accounts. Guest user accounts are created on the fly when sharing documents externally and are often left dormant and unmonitored. Because most guest user accounts are granted the same permissions as internal staff accounts, companies increase their exposure to data breaches and exfiltration.

Greater IT budgets

There’s a promise of greater IT budgets and increased use of cloud applications in 2024, which is great news for MSPs. But it’s also a gift for cybercriminals who see the potential for broader and more unsecured attack surfaces,” said Jim Lippie, co-founder and CEO of SaaS Alerts.

The rules are changing, and MSPs need to keep up. To protect their customers in this new environment, they’ll need greater visibility into user behavior, login and geolocation data, and potential weak points.”

Global sources continue to dominate threats

Attempted unauthorized logins continue to rise in China, India, South Korea, Brazil, and Russia

Attempted unauthorized logins continue to rise in China, India, South Korea, Brazil, and Russia, accounting for 57% of the attempted intrusions last year combined. As U.S.-China tensions escalate, cyberattacks will likely follow.  

While many of these attempted attacks are geared toward industrial espionage, China is also ramping up attacks on U.S. infrastructure networks. Similar efforts from Russia are also expected to increase.

Increase in SaaS applications

Microsoft 365 and Google Workspace were the most widely used SaaS applications in the dataset, so they naturally were the most active sources of critical alerts last year. However, only about 1% of alerts from M365 and Google required immediate attention. Meanwhile, Slack was more problematic, with 12% of related alerts identified as critical. That was an almost nine-point jump from Slack’s critical alerts ratio of 3.77% last year.

SaaS Alerts’ research has shown that attack tools have been actively created for over 50 distinct SaaS applications, including both business and consumer applications. “The increase in SaaS applications being targeted should serve as a warning to MSPs,” said Lippie. “When it comes to protecting your clients, SaaS security needs to move beyond M365 and Google.”

Common high-severity threats

Most of those events (97.5%) were low severity, leaving 60 million medium-severity and critical events to address

In 2023, SaaS Alerts monitored more than 2.5 billion SaaS events. Most of those events (97.5%) were low severity, leaving more than 60 million medium-severity and critical events to address. The most common high-severity threats included successful logins from outside approved locations, and files opened or downloaded outside an approved location. 

Alerts warn MSPs that something is happening that needs attention. When stacked together, they are indicators of compromise. Without proper monitoring in place, breaches can go undetected for months,” said Lippie. “SaaS Alerts stopped nearly 7,900 potential breaches last year using our automated Respond module. With Respond, bad actors can be blocked within five to 15 minutes of receiving data from Microsoft.”

Hackers changing tactics

In addition to traditional brute-force attacks, the report warns MSPs to be prepared for increased attacks with these methods: 

  • PhaaS, where hackers provide a list of email addresses with messages and logos of the companies they’re trying to impersonate to a PhaaS platform. The hacking software sets up a virtual server and runs the hack on autopilot. The program then sends back the stolen credentials. 
  • Token hijacking, which allows hackers to bypass MFA and Conditional Access, happens when bad actors set up a server between the end-user’s login screen and the SaaS service being logged into, such as M365, and allows them to intercept a user’s access token to then access the end-user’s account.
  • IP address localization allows hackers to get around geolocation fencing by localizing their IP addresses to bypass foreign login flags. 

Identify potential threats

To protect themselves and their customers from these attacks, MSPs should continue regular education to help customers identify potential threats and proactively monitor accounts for suspicious activities before they lead to extensive data exfiltration or loss. Other steps recommended in the report include:

  • Enable and enforce MFA, both internally and with all clients.
  • Track file-sharing activity to identify data exfiltration and internal threats.
  • Store and regularly review historical user-behavior data, even if it didn’t lead to a breach.
  • Promptly investigate and respond to unusual user behavior that presents a potential threat.
  • Monitor OAuth logins and don’t ignore other SaaS applications just because they’re not Microsoft or Google.

From facial recognition to LiDAR, explore the innovations redefining gaming surveillance

Related white papers
Understanding AI-Powered Video Analytics

Understanding AI-Powered Video Analytics

Download
Open Credential Standards And The Impact On Physical Access Control

Open Credential Standards And The Impact On Physical Access Control

Download
What is a universal RFID reader?

What is a universal RFID reader?

Download
Related articles
Interface Systems: 2026 Retail Security Trends

Interface Systems: 2026 Retail Security Trends
Why Open Matters In The Age Of AI

Why Open Matters In The Age Of AI
Verkada AI Tech Reshapes Enterprise Security Industry

Verkada AI Tech Reshapes Enterprise Security Industry