OAuth, guest accounts, and weak MFA drive SaaS risk

Organizations often create guest accounts to give contractors, suppliers, and partners temporary access to files and SaaS applications. Many of these accounts remain active long after they are needed, creating overlooked access paths to corporate data.

Guest accounts accounted for 69% of monitored SaaS accounts in 2025, an increase of more than 1.9 million compared with the previous year, according to Kaseya’s 2026 SaaS Security Report: Closing the Unmanaged Trust Gap.

They outnumber licensed users by more than two to one, significantly expanding the attack surface. If left active and unmanaged, these accounts create opportunities for cybercriminals to compromise them through credential stuffing, password spraying, and similar attacks. Guest accounts receive the same permissions as internal employees, including privileged access.

AI-assisted account enumeration is making these attacks efficient. Attackers can use automated tools to identify active guest accounts within a tenant, test them for weaknesses, and gain access through dormant accounts.

OAuth integrations are expanding the SaaS attack surface

Organizations are adopting AI assistants, automation tools, and collaboration platforms that integrate with Microsoft 365 and Google Workspace through OAuth. These integrations allow employees to sign in with existing work accounts and grant third-party applications access to email, cloud storage, calendars, messaging platforms, and other business data.

OAuth-connected applications receive broad permissions that remain active after approval. If one of these applications is malicious or becomes compromised, attackers can maintain access through OAuth tokens without stealing passwords. This access can persist even after a user changes their password, making malicious activity difficult to detect.

Weak MFA adoption leaves accounts exposed

MFA remains one of the most effective defenses against account compromise, with adoption across small and midsize businesses remaining limited. Fifty-six percent of monitored end-user accounts had MFA disabled or inactive, and only 27% of organizations enforced MFA policies across their SaaS environments.

SaaS security risks

Accounts protected only by passwords remain vulnerable to phishing, credential theft, and password reuse attacks. Once attackers gain access, they can operate as legitimate users within SaaS applications, increasing the risk of business email compromise, fraud, and unauthorized access to sensitive data.

External file sharing creates persistent data exposure

Cloud collaboration platforms make it easier for employees, contractors, partners, and customers to share files across organizational boundaries. The growing use of AI assistants and automated workflows is accelerating this trend as business applications exchange data and employees connect third-party services to corporate SaaS environments.

External file sharing increases the likelihood that sensitive business information will remain accessible after collaboration ends. Shared documents may contain financial records, customer data, internal communications, or intellectual property that remain available because of outdated permissions, unmanaged guest accounts, or orphaned sharing links. These links are often created for temporary projects and never revoked, allowing former contractors, partners, or anyone with the original URL to retain access long after the collaboration ends.

Trusted infrastructure is undermining login detection

Attackers hide behind VPNs, proxy networks, cloud infrastructure, and compromised systems to make malicious activity appear legitimate. This reduces the effectiveness of security controls that rely on IP reputation or geographic location to identify suspicious logins.

Remote work, outsourcing, and global collaboration have made unauthorized access harder to detect. Organizations expect legitimate logins from countries associated with remote employees, contractors, cloud providers, and VPN services, making it difficult to distinguish normal business activity from compromised accounts.

Growing alert volumes overwhelm security teams

SaaS environments generate billions of security events, making it difficult for security teams to distinguish routine business activity from malicious behavior. While most events are low priority, the report recorded nearly 279 million medium- and critical-severity alerts in 2025.

Service principal logins became a common source of critical alerts in 2025. Service principals are non-human identities used by applications, scripts, and automation tools to access SaaS services. If compromised, they can provide attackers with persistent access that is difficult to detect than activity originating from standard user accounts.

“AI-emboldened threat actors see one interconnected attack environment, whereas most organizations defend their infrastructure in pieces,” said Jim Lippie, chief product officer, Kaseya. “The most resilient organizations will be those that embrace continuous monitoring, identity governance and automated response as foundational requirements.”

Don't miss