The rapid rise of Software-as-a-Service (SaaS) applications like Google Workspace, Microsoft 365, Slack and Salesforce can be attributed to the flexibility, scalability and cost-effectiveness of cloud-based solutions. On the other hand, SaaS apps have become prime targets for cybercriminals as they host business-critical information and workloads. Additionally, cybercrime is evolving rapidly. Threat actors favor more efficient and dangerous methods, like token harvesting, over traditional methods like brute force.
To better understand these risks, SaaS Alerts launched the 2025 SaaS Application Security Insights (SASI) Report. This report presents findings from a detailed analysis of SaaS security data across more than 43,000 small and midsized businesses (SMBs), and nearly six million user accounts, including guest accounts.
As the threat landscape grows more sophisticated, it’s critical for security leaders and IT professionals to understand these shifting dynamics. In this article, we will explore the report’s key insights and what your business must do to stay ahead of emerging threats.
The proliferation of SaaS apps and the risks associated with them
SaaS applications have drastically improved operational efficiency and productivity, but they have also exposed businesses to a host of security vulnerabilities. While cybercrime is surging, negligent user behavior, risky file-sharing and unmonitored guest user accounts are creating security blind spots in SaaS environments.
Employees tend to install new apps, grant access permissions or share documents without involving IT teams. These actions lead to a messy web of app connections and data sharing that the security team often can’t see or control.
SaaS applications make sharing information easy, but without proper controls, sensitive data can be exposed through public links or shared with external parties without proper authentication.
Another growing concern is guest user accounts, which are created for short-term collaboration but are often left unmonitored or rarely deactivated. Some of these accounts have elevated permissions or access to critical documents, making them a perfect backdoor for threat actors looking to infiltrate an organization without raising alarms.
Unauthorized logins detected by SaaS Alerts
SaaS Alerts’ threat intelligence engine continuously monitors SaaS environments for suspicious activity. In 2024, we saw a sharp rise in both attempted and successful unauthorized access. Here’s what was uncovered:
Attempted unauthorized logins
Cybercriminals are increasingly trying to log in using valid user credentials obtained through the dark web or phishing attacks. To avoid detection, these login attempts come from multiple global locations in quick succession.
In 2024, nearly 40% of all unauthorized login attempts were traced to China and South Korea.
Brute force was the common method used to gain unauthorized access to corporate systems. In this method, attackers repeatedly guess passwords until they gain access.
The 2025 SASI Report indicates that instead of relying solely on brute force, cybercriminals are shifting toward token harvesting — a faster, stealthier method that allows them to bypass MFA entirely by stealing session tokens.
Catching successful unauthorized logins
When attackers successfully access an account, they often do so from unexpected or unapproved locations. Last year, Germany, the United Kingdom and Poland emerged as hotspots, with nearly 25% of breaches originating from these locations. Attackers are believed to be disguising their true origins by routing activity through Western-based VPNs, thus making their attempts appear more legitimate and harder to detect.
Threat actors successfully logged in to corporate accounts using phishing schemes.They trick users into revealing their SaaS credentials using highly convincing but fake emails, messages or login pages. This method remains one of the most dangerous and effective ways to breach organizational defenses.
SaaS security events
SaaS security events act as early warning signals, helping IT teams detect unusual or risky activity across their cloud environments. SaaS Alerts uses intelligent application logic to analyze behavioral patterns and rank these activities by severity: low, medium and critical.
In 2024, SaaS Alerts analyzed more than 7.3 billion events across SaaS environments. While the vast majority (98.5%) were categorized as low severity, over one billion of these alerts were medium or critical.
Low-severity events
Low-severity events often reflect normal activity but are still worth monitoring for patterns or anomalies over time.
The most frequent low-severity event was “file opened,” triggered whenever a logged-in or guest user accesses a file. This action made up over 50% of all low-severity alerts. The backup service transfer accounted for 23.7% of these events. Another common trigger was OAuth access via identity and access management (IAM), which made up 22.88% of low-severity alerts. These events occur when third-party apps request account permissions.
Medium-severity alerts
These alerts are triggered when unusual behavior or suspicious activities are detected and require investigation to minimize risk.
The most common medium-severity alert in 2024 was “file download limit exceeded,” which indicates data extraction attempts. This event represented 40.2% of all medium alerts. “File upload limit exceeded” accounted for 35% of medium-severity alerts, often a red flag for unauthorized data transfers. Meanwhile, “file opened from an unapproved location” made up 25%, pointing to potential account compromise or violations of access policies.
Critical alerts
Critical alerts represent high-risk activities that may indicate security breaches, data theft or unauthorized access. Over 34% of critical alerts were caused by successful logins from unapproved locations or IP ranges. Additionally, 33% of critical alerts were triggered by files being accessed outside approved geographic zones. Another 32.3% were tied to files being downloaded from unapproved locations.
Although low- and medium-severity alerts may not imply an immediate threat or require immediate action, they do provide critical context and insight into user and system behaviors. Closely monitoring these alerts can help IT teams recognize abnormal activity patterns and proactively neutralize threats before they cause damage. In short, it’s critical to track all security alerts — from low to critical — in order to build a robust SaaS security strategy and detect threats effectively.
What’s putting your SaaS environments at risk
SaaS applications offer countless benefits to businesses of all sizes. However, when security best practices are overlooked, these platforms can also become gateways for data breaches, account compromise and unauthorized access. The 2025 SASI Report highlights the most common threat vectors that could leave your SaaS environment exposed to potential breaches.
MFA disabled or inactive
MFA is considered one of the most effective defenses against identity theft and unauthorized account access. However, its adoption remains alarmingly low. According to the 2025 SASI Report, MFA is either disabled or inactive in more than 60% of end-user accounts. Without this critical layer of protection, attackers can easily compromise accounts through phishing or token theft attacks.
Unmonitored guest user accounts
Guest users are essential for external collaboration, but they’re often left unchecked. In 2024, SaaS Alerts monitored over 4.2 million SaaS accounts, of which more than 55% were guest users. If these accounts aren’t closely monitored or promptly deactivated when no longer needed, they could become unseen entry points for cybercriminals.
SaaS-to-SaaS app integrations
OAuth makes it easy for users to connect new SaaS tools with just a few clicks, but this convenience comes at a cost.
Each new integration potentially widens the attack surface, especially if the third-party app is poorly secured. Without visibility into these connections, your business could risk giving cybercriminals indirect access through compromised apps.
Risky file-sharing behavior
SaaS apps have simplified file sharing, but they have also increased the risk of unauthorized data sharing outside the organization. In 2024, 37.28% of all file-sharing activity SaaS Alerts monitored involved external users.
While not all external sharing is bad, the real danger lies in orphaned links. These are file-sharing links shared with people outside the organization that are never revoked. Attackers looking for a way in can easily discover and exploit these lingering links.
Key takeaways and security recommendations to stay ahead of emerging SaaS threats
The 2025 SASI Report reveals that while SaaS applications enhance productivity and collaboration, they also open the door to security risks if they aren’t properly managed. Weak MFA adoption, unmonitored guest accounts, risky third-party app integrations and careless file-sharing practices are among the most critical threat vectors. Malicious actors are shifting tactics, embracing stealthy methods like token harvesting and VPN masking, making it more important than ever for organizations to adopt a proactive security approach, gain visibility and enforce security policies.
Follow these steps to protect your business from emerging SaaS threats:
- Enable and enforce MFA across your organization and for all clients.
- Apply conditional access rules for Microsoft 365 accounts whenever possible.
- Provide ongoing cybersecurity training for your end users to reinforce security best practices.
- Continuously monitor major SaaS productivity apps for unusual or suspicious user behavior.
- Track file-sharing activity to detect potential data exfiltration or insider threats.
- Store and routinely review historical user behavior data, even if it hasn’t led to a known breach.
- Investigate and respond quickly to any anomalies that could indicate a threat.
- Monitor OAuth-based logins, and don’t overlook non-Google or non-Microsoft SaaS applications.
- Regularly remove inactive or unnecessary guest accounts to minimize exposure.
- Keep an inventory of all app-to-app integrations and assess their security implications.
- Review risky file-sharing behavior to prevent data exposure.
- Use automation to detect and respond immediately to high-risk threat sequences.
Stay ahead of emerging SaaS threats. Download the 2025 SASI Report for the latest SaaS trends, expert insights, real-world data and actionable strategies.
