Identity-based attacks pose an escalating threat to SaaS environments. Every new SaaS integration, third-party app, and misconfiguration creates an opportunity for attackers to exploit credentials, escalate privileges, and move laterally within an organization.
One of the most notable examples is the MOVEit Transfer breach, where attackers exploited a zero-day vulnerability in the widely used file transfer tool, allowing them to bypass authentication mechanisms and gain unauthorized access to sensitive data across multiple organizations. The breach exposed the dangers of weak identity validation in third-party SaaS applications, as compromised credentials and session tokens enabled lateral movement and prolonged access to critical systems.
To prevent breaches like this in the future, it’s crucial to understand the top identity threats and how bad actors exploit them. This knowledge fuels strategies to mitigate risk, which include leveraging ITDR solutions to detect and respond to threats.
What is an identity-based attack?
In an identity-based attack, threat actors use compromised human or non-human identities to gain unauthorized access to resources. Identity-based attacks exploit the inherent weaknesses in identity management systems, authentication protocols, and misconfigured access controls.
Common identity-based attacks
1. Phishing
Phishing attacks are a perennial favorite of threat actors, according to the 2024 Verizon Data Breach Investigations Report. The problem goes beyond legitimate-looking emails containing shady links. Phishing QR codes and attachments are growing in use, and trusted services such as business email are also being compromised by threat actors. Generative AI enables bad actors to create even more realistic phishing assets, increasing the risks exponentially.
A sophisticated phishing campaign targeted Microsoft 365 users, using fake authentication portals to steal login credentials and gain access to corporate networks. Using adversary-in-the-middle (AiTM) techniques, attackers could intercept authentication tokens and bypass MFA protections. This large-scale campaign, which affected thousands of organizations worldwide, primarily used proxy sites that mimicked legitimate Microsoft login pages.
2. Credential stuffing
Using automated bots, attackers systematically test stolen username-password pairs across multiple platforms, exploiting users who reuse passwords. In 2024, credential stuffing put more than 900 million users of the Snowflake cloud service at risk, along with business customers including Ticketmaster.
A major incident involved attackers using stolen username-password pairs to gain access to DoorDash customer and delivery driver accounts. Once inside, they were able to view personal details, including names, addresses, and partial payment information. With billions of credentials available on the dark web from past data breaches, credential stuffing remains a prevalent identity-based threat.
3. API exploitation
APIs are integral to SaaS ecosystems but are frequently targeted due to weak authentication and improper access controls. The 2023 T-Mobile API breach exposed the personal data of 37 million customers, demonstrating how poorly secured APIs can serve as an entry point for massive data leaks and identity fraud. Attackers exploit APIs to bypass authentication layers, extract sensitive data, or manipulate application functionality.
4. Misconfigurations
Security lapses due to incorrect or negligent configuration of SaaS tools and identity management settings lead to vulnerabilities. IBM’s 2023 Cost of a Data Breach report found that cloud misconfigurations accounted for nearly 15% of all cloud breaches. A real-world example includes the Capital One breach, where a misconfigured AWS S3 bucket led to the exposure of over 100 million customer records. Misconfigured Single Sign-On (SSO), poorly defined IAM roles, and excessive permissions are commonly exploited attack vectors.
5. Supply chain attacks
Supply chain attacks are particularly damaging because they enable attackers to move laterally across interconnected SaaS environments, affecting multiple organizations simultaneously. In 2024, a sophisticated supply chain attack targeted the Python Package Index (PyPI), where attackers exploited a loophole allowing them to hijack deleted package names. This “Revival Hijack” technique put thousands of applications at risk, potentially leading to tens of millions of infected downloads.
6. Insider threats
Malicious or negligent insiders who misuse their legitimate access rights pose significant risks. According to Ponemon Institute‘s Cost of Insider Threats report, insider threats continue to rise, costing organizations in North America alone an average of $16.2 million annually. An example includes the Tesla insider data leak, where employees stole 100GB of sensitive information and shared it with external parties.
Whether through deliberate data exfiltration or inadvertent security misconfigurations, insiders are responsible for a substantial percentage of identity-based security breaches.
7. Password spraying
The flip side of credential stuffing, password spraying involves testing commonly used passwords against multiple accounts. Attackers leverage this method to gain access to enterprise SaaS applications by exploiting weak password policies.
A prime example: Microsoft reported that a botnet of 130,000 compromised devices recently targeted Microsoft 365 users. Also, in 2024, a state-sponsored group known as APT 33 conducted password spraying attacks targeting various sectors, including satellite communications, oil and gas, and government operations in the United States and the United Arab Emirates. The group utilized these attacks to gain initial access to systems, subsequently deploying a custom-developed backdoor named “Tickler” to establish persistent remote access.
Evolving identity-based attacks
While many identity-based attacks are well-known, attackers continuously evolve their tactics, developing lesser-known but equally dangerous methods to exploit vulnerabilities. Session hijacking, for example, allows attackers to steal a user’s active session token, granting them unauthorized access without needing a password or multi-factor authentication. Similarly, consent phishing tricks users into granting malicious applications OAuth permissions, bypassing traditional authentication defenses and embedding persistent access within cloud environments. Another emerging threat is SIM swapping, where attackers manipulate telecom providers to transfer a victim’s phone number to their own device, enabling them to intercept MFA codes and take control of critical accounts.
As identity threats continue to evolve, organizations need more advanced strategies to stop these attacks. This is where a deeper approach to IAM becomes essential.
Why identity access management (IAM) is not enough
Identity access management (IAM) systems are a fundamental component of modern security architecture, providing organizations with mechanisms to enforce authentication, authorization, and access controls. However, IAM solutions are not designed to address all identity-based threats comprehensively.
IAM limitations against modern threats
- Static authentication methods are insufficient.
Traditional IAM frameworks rely on authentication techniques such as passwords and MFA. However, these methods do not protect against more sophisticated attacks like session hijacking, token theft, and AiTM phishing. In 2023, attackers successfully bypassed Okta’s MFA security using AiTM tactics, exposing critical infrastructure and customer data. - IAM does not provide real-time identity-based threat detection.
IAM solutions focus on managing identities but can’t detect anomalies in real time. Without behavior-based monitoring, organizations cannot identify unauthorized access attempts or account compromise early enough. For example, in the 2023 MGM Resorts ransomware incident, attackers leveraged social engineering to gain access to valid credentials, bypassing security controls and moving laterally across critical systems before being detected. - IAM cannot prevent insider threats.
IAM operates under the assumption that authorized users are legitimate, but it can’t differentiate between normal user activity and a compromised or malicious insider. SOC teams must monitor and respond to behavioral deviations, privilege escalations, and unauthorized data access attempts by internal users.
Embracing the Zero Trust security model
Key to defending against identity-based attacks is a Zero Trust approach. By continuously validating every identity and access request, organizations can potentially identify and close off vulnerabilities before a breach can occur.
Key Zero Trust strategies:
Micro-segmentation
Dividing networks into manageable, isolated segments prevents lateral movement by attackers. This ensures that even if an attacker compromises an identity, they are confined to a limited network segment, which reduces their ability to escalate privileges or exfiltrate data.
Least privilege access (LPA)
LPA ensures identities receive only the permissions necessary for their job functions. This is particularly crucial for SaaS applications where over-provisioned accounts can open the door to data leaks.
Continuous authentication and monitoring
Rather than relying on one-time authentication, continuous verification of identity attributes makes it more likely that SOC teams will spot anomalies in time to prevent a breach. Keeping a watchful eye on behavior analytics, device fingerprints, and geolocation improve the odds of detecting and mitigating compromised credentials.
While Zero Trust is crucial to protect systems and data, only 10% of large organizations will have a mature program in place by 2026, according to Gartner, Inc. While this is an improvement over 2024 levels, more effort should be put toward building a true Zero Trust environment that can prevent, or at least limit, damage from a breach.
Securing third-party integrations
Discovering all third-party SaaS applications used across the organization is crucial for understanding access levels, permissions, and potential security gaps. These platforms often require app-to-app connections in order to deliver value, which opens up new vulnerabilities even in systems that are considered to be secure.
Without full visibility into every app, its connections, and the risks it represents, SOC teams can’t enforce appropriate security controls or assess the risk of unauthorized data access. Apps update and change their permission structures regularly, so even a benign app today may evolve without warning, becoming a gateway into the enterprise.
SaaS platforms often rely heavily on third-party integrations, creating additional entry points for attackers. Notably, the 2022 LastPass breach exploited vulnerabilities stemming from compromised third-party software.
Automated discovery and continuous monitoring of third-party SaaS applications are needed to protect against these risks. By mapping out SaaS integrations and evaluating their security postures, organizations can readily enforce access policies, detect risky permissions, and mitigate threats before they escalate.
Strategies to mitigate third-party risks
- Rigorous vendor risk assessments
Evaluate vendor security postures and require transparency on security measures, penetration testing, and incident response capabilities. Organizations should establish a standardized vendor risk assessment framework, including questionnaires, security audits, and access control reviews, to regularly assess potential vulnerabilities.
- Continuous monitoring and auditing
Implement third-party risk management tools to proactively detect anomalies in vendor activity. Use real-time monitoring, machine learning-driven anomaly detection, and periodic security reviews to identify suspicious behaviors or unauthorized changes in third-party integrations before they lead to breaches.
- Compliance verification
Ensure vendors adhere to essential security certifications such as SOC 2, ISO 27001, and NIST standards. Additionally, conduct regular compliance audits and request independent third-party assessments to validate compliance with industry standards and best practices.
- Secure API access controls
Adopt strong authentication mechanisms, OAuth 2.0 best practices, and role-based API access policies to mitigate third-party risks. Implementing API gateways, enforcing rate limiting, and applying zero-trust principles to API interactions can further protect against unauthorized access and data leaks.
ITDR is essential for SaaS security
Robust Identity Threat Detection and Response (ITDR) capabilities are needed to combat the increasing sophistication of identity-based attacks. Unlike traditional IAM tools, ITDR solutions specialize in detecting identity-based anomalies, tracking suspicious behavior across SaaS applications, and responding to threats before they escalate.
Automation is key to stopping identity-based attacks
Manual threat detection and response processes are too slow to combat fast-evolving Identity-based attacks. Without automation, SOC teams could be overwhelmed with the sheer volume of alerts, making it near-impossible to respond to them all or prioritize which ones to tackle first.
Automating ITDR empowers SOC teams with:
- Scalability for SaaS-driven enterprises. Automated ITDR solutions ensure security coverage across a growing number of cloud applications without increasing the burden on security teams. With machine learning-driven analytics, ITDR continuously refines its detection models, identifying emerging threats without requiring constant manual tuning.
- Real-time threat detection – ITDR continuously monitors identity behaviors, recognizing deviations such as unusual login locations, privilege escalations, and excessive access attempts.
- Identity event correlation – By mapping identity-based attack paths, ITDR uncovers multi-stage attacks and helps security teams visualize how attackers move within SaaS environments.
- Automated risk prioritization – ITDR uses AI-driven analytics to assess identity risks, flagging high-priority threats and enabling faster response times.
- Integration with Zero Trust and IAM – ITDR complements existing IAM and Zero Trust strategies by bridging visibility gaps and strengthening proactive defense mechanisms.
Security Orchestration, Automation, and Response (SOAR) enhances ITDR
SOAR platforms enable rapid containment actions, such as disabling compromised accounts, revoking risky permissions, and enforcing MFA challenges in response to high-risk activities. Automating these processes and integrating them with ITDR shrinks response time and reduces the likelihood of a successful identity-based cyber attack.
Wing Security’s ITDR solution gives SOC teams an edge
Wing Security’s ITDR platform provides SOC teams with a comprehensive approach to identity-based threat detection and response, leveraging cutting-edge methodologies to stay ahead of evolving threats.
Our solution is built to support the MITRE ATT&CK framework, which helps map identity-based attacks, correlate identity events, and provide deeper insights into adversarial tactics and techniques. We give security teams a clear and complete picture of the attack path, reducing investigation time and enabling faster responses.
To ensure the most pressing issues are dealt with first, our solution delivers prioritization scoring using User and Entity Behavior Analytics (UEBA). Wing Security’s ITDR pulls together fragmented identity-related logs, then applies UEBA to detect anomalies and subtle patterns of movement or privilege abuse.
The system then assigns dynamic confidence scores to identity behaviors and prioritizes the most critical threats via a clear, straightforward dashboard.
Our ITDR solution empowers SOC teams with deep visibility into identity-driven threats, providing advanced capabilities tailored for SaaS environments, including:
- Comprehensive identity monitoring: Detects threats across human and non-human identities, ensuring complete SaaS identity coverage.
- Behavioral anomaly detection: Uses machine learning to spot deviations in identity behavior, reducing false positives and prioritizing real risks.
- Identity-centric incident timelines: Maps attack events in chronological order, helping security teams understand and respond to threats efficiently.
- Automated remediation playbooks: Provides guided response actions to neutralize threats quickly, minimizing manual intervention.
- Seamless SIEM/SOAR integration: Enhances security operations by feeding identity-based threat intelligence into centralized security management platforms.
A layered approach to identity-based attacks
Identity-based attacks represent a substantial threat to organizations utilizing SaaS solutions. By implementing a layered strategy, which includes embracing Zero Trust principles, rigorously securing third-party integrations, prioritizing ITDR capabilities, and automating responses via SOAR solutions, organizations can significantly enhance their resilience to identity threats.
Security teams must proactively evaluate the current SaaS security posture and ITDR capabilities that are in place. Advanced platforms, like Wing Security, can significantly bolster defenses, giving organizations the ability to stay one step ahead of identity-based cyber attacks.