SaaS applications have transformed business operations, making advanced tools accessible to all. However, with this convenience comes increased exposure to risk.

Cybercrimes are surging, and malicious actors are getting smarter. They are weaponizing artificial intelligence (AI) technology, leveraging Phishing-as-a-Service (PhaaS) platforms and sophisticated techniques like token harvesting to bypass multifactor authentication (MFA).

With the rise of SaaS apps and cyber-risks, end-user and data security have become increasingly challenging for IT professionals and MSPs alike. 

To better understand the latest trends, threats and insights shaping SaaS application security, SaaS Alerts analyzed data from over 43,000 SMBs and nearly six million end-user accounts (including guest accounts). Read on to uncover the top findings from the 2025 SaaS Application Security Insights (SASI) Report and how your company can stay ahead of evolving cyberthreats.

The hidden SaaS threats

While zero-day exploits and sophisticated ransomware attacks dominate news headlines, sometimes the greatest threats originate from within, such as overlooked misconfigurations and forgotten access points. Here are four major security blind spots that could be silently putting your organization at risk:

Disabled or inactive MFA

Despite being one of the most effective security controls against identity compromise and account takeovers, the adoption rate of MFA is relatively low among businesses. The 2025 SASI Report found that MFA is still missing or inactive in over 60% of end-user accounts. This leaves the door wide open for attackers, especially in the case of credential phishing or token theft attacks. For businesses relying solely on passwords, an account compromise will give the attackers full access to systems and data.

Your business must enforce MFA policies for all users, including admin accounts, to strengthen security. Additionally, you must monitor MFA status regularly and remediate security gaps promptly to prevent data breaches.

Unmonitored guest user accounts

Guest user accounts enable seamless file sharing and collaboration with external users, such as vendors, partners and contractors. However, when these accounts are left unmonitored or inactive, they can become a serious liability. 

In 2024, of the 4,261,624 SaaS accounts monitored by SaaS Alerts, more than half (55.24%) were guest user accounts rather than licensed users. With over 2.3 million guest user accounts present and likely unmonitored, your organization may be harboring unseen access risks — an open invitation for cybercriminals.

To minimize risk, you must set expiration dates for all guest accounts to ensure access is revoked after a certain period. Review and remove any inactive or unused accounts regularly to prevent unauthorized access. If you are unsure whether an account is needed, “block sign-in” instead of leaving it open. Finally, leverage automation to streamline guest account cleanups to ensure no account is overlooked.

SaaS-to-SaaS app integrations

OAuth logins and app integrations make work easier, but they also create potential backdoors for attackers. These third-party SaaS connections allow seamless data sharing, and once connected, a single app can become a gateway to other applications. This allows users with access to one app to escalate permissions or access sensitive data in another application, potentially putting your organization’s sensitive information at risk.

To reduce risk, your organization must keep a constant eye on third-party SaaS apps connected via OAuth, especially in platforms like Microsoft 365 and Google Workspace. Continuous monitoring helps detect suspicious activity early and prevent unauthorized access.

Risky file sharing (especially orphaned public links)

Our 2025 SASI Report found that businesses share an average of 15,787 files per hour. While most of these files were shared internally, a staggering 51,563,457 (37.28%) were shared outside the organization, increasing the risk of data leaks, compliance violations and security breaches.

Our analysis of file-sharing activity revealed another major security blind spot — external orphaned links. These are file-sharing links sent outside the organization that are never revoked. Often created for temporary access, they’re rarely disabled, leaving sensitive data exposed long after it’s needed. If left unchecked, these “orphaned” links can become easy targets for hackers looking for an easy entry point.

You must continuously monitor file-sharing activity to ensure users aren’t unintentionally exposing sensitive data. Regularly terminating old or orphaned links is critical to closing potential security gaps. Additionally, educating employees on secure sharing practices can help reduce the risk of accidental data leaks significantly.

Top threats you can’t afford to ignore in 2025

Cloud-based applications offer several benefits to organizations, from reducing infrastructure burdens to enhanced collaboration, accessibility, flexibility and cost-efficiency. It’s no surprise that cloud adoption is growing rapidly. But in the rush to the cloud, have you opened the doors to cyberthreats you can’t even detect? Here are the top threats to watch out for in 2025.

Token hijacking

Cybercriminals are replacing brute-force attacks with token hijacking, a more sophisticated and effective tactic that’s quickly becoming their weapon of choice. Token hijacking has a much higher success rate than brute-force attacks because it doesn’t rely on passwords to break into accounts.

Token hijacking is a cyberattack technique where hackers intercept authentication tokens by inserting a malicious server between the user’s login screen and the SaaS service, such as Microsoft 365 or Google Workspace. This allows them to impersonate the user without needing credentials again and alter or exfiltrate information undetected, even if MFA is enabled.

Phishing-as-a-Service

Phishing-as-a-Service (PhaaS) is a cybercrime model that offers ready-made phishing tools and services for rent or sale. PhaaS platforms have dramatically revolutionized and simplified phishing attacks. These platforms allow anyone with malicious intent to access ready-to-use phishing kits to launch highly advanced phishing campaigns with minimal effort. With these easily accessible phishing kits, advanced technical skills are no longer required — anyone can become a potential threat.

PhaaS platforms allow hackers to automate phishing attacks. All one needs to do is input targets, upload fake branding and steal credentials. Highly sophisticated PhaaS sites, like darcula suite 3.0, let attackers launch brand-specific phishing campaigns with just a few clicks — no coding or technical skills required.

IP address localization

With remote and hybrid work the norm for many, tracking where logins originate is now more important than ever. Threat actors are increasingly leveraging IP localization techniques to spoof their IP addresses to evade foreign login alerts. They use virtual private networks (VPNs) to disguise login locations, which makes fraudulent logins look legitimate.

Continuous login monitoring can help significantly minimize the risks of IP localization attacks. You must also look for unusual patterns, such as suspicious file modifications, downloads or uploads. These anomalies signal a potential breach, even if the login appears legitimate.

Advanced threats like token hijacking, PhaaS and IP address localization require a new level of visibility, security and automation.

Pro tips for getting ahead of the curve

With cyberthreats evolving rapidly, your business needs proactive security measures and layered defense strategies. Here are a few essential security measures to consider to stay ahead of emerging threats.

Enforce MFA internally and for clients: Enforce MFA across all internal systems and client environments to provide an extra layer of access security beyond just passwords.

Set up conditional access rules for Microsoft 365: Implement conditional access policies in Microsoft 365 to control login behavior based on user, location and device risk.

Train end users on cybersecurity best practices: Conduct ongoing security awareness training to empower your users to identify potential threats and follow safe online practices.

Monitor SaaS applications for unusual behavior: Continuously track your SaaS environments for abnormal activity, such as suspicious OAuth logins or unmonitored guest users.

Track file sharing and terminate orphaned links: Monitor file-sharing activity and quickly disable unused or public links to prevent data leaks.

Investigate suspicious user behavior immediately: Respond swiftly to anomalies in user behavior to detect and contain potential security incidents before they escalate.

Whitelist only necessary geographical locations: Limit account access to approved regions only to reduce the attack surface and block unauthorized access from high-risk areas.

Monitor OAuth logins across all SaaS apps: Extend visibility to OAuth activity in all third-party apps to detect hidden threats beyond core platforms like Microsoft and Google.

Leverage automation for threat response: Deploy cutting-edge security solutions, such as SaaS Alerts, that automatically detects and remediates security threats in SaaS platforms.

Simplify SaaS security with SaaS Alerts

While the shift to the cloud boosts efficiency and provides convenience, it also introduces new cybersecurity risks. In 2024, we detected over 61 million critical alerts, and these weren’t triggered by external threats alone. 

Download the 2025 SASI Report to get the full SaaS picture, expert insights and proven strategies to combat the latest SaaS threats head-on. 

Cloud-based SaaS solutions have reshaped the business landscape, but alongside this transformation is a sprawling digital footprint that demands new defense strategies for enhanced visibility, security and control.

That’s where SaaS Alerts can play a crucial role in strengthening your organization’s security posture and helping you stay ahead of the curve.

SaaS Alerts provides full visibility into suspicious activity across popular SaaS applications like Microsoft 365, Google Workspace, Salesforce and more. Our intelligent solution delivers instant alerts about critical threats and anomalies as soon as they are detected. But SaaS Alerts doesn’t stop at detection — it takes action. Automated response actions quickly address threats, blocking affected accounts before they spread, with no manual intervention required. SaaS Alerts protects your sensitive information with robust data protection controls so you can rest easy knowing your data is safe. It simplifies SaaS protection by enabling your IT team to manage security across all your SaaS apps from one easy-to-use dashboard.

Ready to take SaaS security to the next level? Try SaaS Alerts for FREE for 14 days and experience how our powerful platform simplifies SaaS security.