SaaS Threats Are Escalating: A Follow-Up to Our Recent Analysis
Category:Industry News / Research & Tools
Bishop Fox details concurrent campaigns against SaaS ecosystems by UNC6040 (ShinyHunters/Scattered Spider) and UNC6395 (suspected nation-state). Techniques include OAuth device code flow abuse that yields legitimate tokens (often bypassing MFA signals) and vishing focused on Salesforce administrators identified via LinkedIn. Attackers pivot from Salesforce into Google Workspace and Microsoft 365 through integrations and over-scoped permissions, turning a single foothold into multi-tenant access. The research argues SaaS security remains a customer responsibility around configuration, monitoring, and token governance.
CORTEX Protocol Intelligence Assessment
{"Business Impact":"Systemic SaaS compromise can span identity, data, and integrations across multiple providers.","Technical Context":"Device code flow token phishing; admin vishing; over-permissioned OAuth apps facilitating lateral SaaS movement."}
Strategic Intelligence Guidance
- Disable device code flow where unnecessary; apply conditional access for tokens.
- Enforce phishing-resistant MFA for all SaaS admins; continuous monitoring of admin actions.
- Inventory and right-size OAuth app scopes; revoke unused integrations.
- Centralize SaaS telemetry and alert on anomalous token usage and geo/device variance.
Vendors
Threats
Targets
Intelligence Source: SaaS Threats are Escalating: A Follow-Up to Our Recent… | Oct 15, 2025