COMMENTARY: The explosion of software-as-a-service (SaaS) adoption over the past decade has transformed the way we work. From our email platforms to our communication and collaboration apps, to file storage and sharing services, these tools promise greater flexibility and efficiency in our day-to-day work lives, especially in today’s remote and hybrid environments.
Unfortunately, cybercriminals also benefit from the SaaS boom. The proliferation of third-party applications has introduced countless ways for threat actors to exploit businesses. According to a report from the Cloud Security Alliance, 65% of companies struggle to monitor and track SaaS risks — and as more cybercriminals leverage SaaS to carry out increasingly hard-to-detect social engineering attacks, that number will grow.
How SaaS social engineering attacks work
Threat actors rely on a few tried-and-true methods to impersonate legitimate SaaS products as they carry out sophisticated social engineering attacks that bypass traditional security tools.
File-sharing phishing attacks are one such tactic — which increased a whopping 350% between June 2023 and June 2024, according to our latest report. Using this method, cybercriminals create genuine accounts on file-sharing services, like Dropbox or Google Drive, and trigger notifications from the platform that prompt targets to view a file with a seemingly harmless but enticing name, like “team bonuses.”
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
In some cases, attackers lure targets into accessing a legitimate folder or drive where they’ve hidden malware. In other cases, these emails include genuine links that redirect to malware or phony login pages designed to capture a user’s credentials. Because these messages originate from real file-sharing accounts, with safe-looking links and no malicious attachments, they typically slip past email monitoring tools.
We’ve also seen SaaS scammers use vendor email compromise (VEC) phishing tactics to impersonate SaaS vendors and use time-pressure tactics (like a password expiring) to deceive employees into entering their credentials into a phishing page. They may also target accounting personnel to request payment for a bogus invoice or make future payments to a new account. Hackers able to infiltrate a SaaS organization’s email system may even hijack existing conversations, making them even less likely to arouse suspicion.
Why SaaS has become popular for social engineering attacks
SaaS offers organizations an easy way to access and deploy software. Unfortunately, much of what makes these products great for businesses also benefits attackers carrying out social engineering schemes.
There are a few reasons why SaaS products make for a successful vehicle for launching attacks:
- They have a low barrier to entry: Many SaaS products offer free trials or “freemium” pricing structures that give users free access to basic features. In other words, any cybercriminal with a web browser and an internet connection can set up an account with little to no upfront investment and immediately get all the infrastructure they need to launch stealthy attacks. Freemium models are especially appealing because they get around the need to sign up for a subscription plan or account that could expose the attacker’s real identity.
- Nearly every organization uses SaaS: Compared to traditional on-premise software, SaaS tools are more cost-effective, more user-friendly, and easier to set up and scale. Over the past decade, businesses of all sizes have turned to SaaS products for everything from internal communications and project management to payroll, file-sharing, and, ironically, even security. Because these tools are so pervasive, there are practically endless opportunities for waging large-scale attacks.
- Employees trust SaaS providers: Employees have grown accustomed to receiving dozens of notifications from the preferred SaaS products they use daily at work. This means employees are unlikely to second-guess a request to click a link or open a file — especially when the message looks identical to the barrage of legitimate emails pouring into their inboxes. There’s virtually nothing to set off their alarm bells or trigger legacy security tools like secure email gateways (SEGs).
Ways to stop SaaS attacks
There are several steps that SaaS vendors themselves can take to reduce the prevalence and impact of adversaries impersonating their brand. These include implementing strong domain protection or using digital certificates to verify their authenticity, implementing brand monitoring tools that can monitor and detect impersonations across the web, or pursuing legal takedown for fraudulent sites and apps.
But while it’s important to rigorously vet SaaS vendors and assess their security efforts before signing the dotted line, there’s only so much customers can control. Organizations shouldn’t rely exclusively on the vendor’s security practices, and should stay proactive about exercising their own due diligence to protect the business from cybercrime.
It's vital to fostering a culture of security and awareness of emerging attacks, and it should continue as a core pillar of defense. But with social engineering becoming much more sophisticated, security education and awareness isn’t a silver bullet. Today, we’re commonly seeing threat actors weaponize Generative AI to craft professional, error-free messages that mimic the tone and style of the individuals they’re impersonating. This, combined with their adept use of SaaS tools, means attacks are practically impossible to spot.
While legacy security systems can help mitigate risks of standard phishing techniques, they aren’t equipped to detect evolving social engineering schemes, especially when they are launched from legitimate compromised SaaS accounts. Stopping these attacks requires advanced detection to flag the more subtle malicious activity — hidden behind the guise of a compromised app — that people and traditional security frequently miss. As cybercriminal tactics evolve, so must the tech we use to protect ourselves.
Mike Britton, chief information security officer, Abnormal Security
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
