Securing SaaS Integrations

Every week, your business adds another cloud tool a new project management app here, a marketing connector there. Each one promises efficiency and growth. But they also create something most executives never see: an invisible network of connections, access permissions, and data flows linking your most sensitive systems to dozens of third-party vendors. We call this the Invisible Attack Surface.

In 2025, it became the most exploited entry point for cybercriminals targeting enterprises worldwide. In the first half of 2025 alone, infostealers compromised over 270,000 Slack credentials globally. One single compromised integration exposed more than 700 organisations simultaneously. These are not predictions. They happened to companies just like yours.

This is not purely a technology problem. It is an organisational problem.

The Risk Hiding in Plain Sight

SaaS integrations are the connections between your cloud tools Salesforce talking to HubSpot, Slack syncing with Google Workspace, your HR platform feeding your payroll system. Each connection is a potential entry point. And most organisations have hundreds of them, many set up years ago and never reviewed since.

A 2025 Cloud Security Alliance survey found that 56% of organisations are concerned about overprivileged API access, and 46% cannot effectively monitor the non-human accounts bots and automated integrations operating inside their systems daily. When one of those connections is compromised, the damage does not stay contained. It cascades instantly across your entire digital ecosystem.

JP Morgan’s Chief Information Security Officer issued a public warning in 2025 that SaaS sprawl is quietly enabling cyber attackers and creating systemic vulnerabilities. When one of the world’s most security-conscious institutions makes that statement publicly, every business leader should take notice.

Case Study 1: The Drift-Salesforce Supply Chain Attack (August 2025)

In August 2025, a threat actor compromised Drift a popular sales engagement tool widely integrated with Salesforce and used stolen OAuth tokens to silently access the Salesforce environments of over 700 enterprise clients simultaneously. No passwords were needed. No MFA alerts were triggered. The tokens acted as skeleton keys, opening doors across hundreds of organisations at once.

Confirmed victims included Cloudflare, Zscaler, Tenable, Proofpoint, and Qualys companies that exist specifically to defend organisations from attacks like this. Inside each breached environment, attackers ran systematic queries extracting customer records, support data, and critically, cloud infrastructure secrets including AWS access keys and Snowflake database credentials. At Cloudflare, forensic analysis revealed the attacker completed full data exfiltration in under three minutes then erased the evidence.

Case Study 2: The Payroll Pirates Workday Attack (March–October 2025)

Throughout the first half of 2025, a financially motivated threat actor tracked as Storm-2657 ran a systematic campaign against US universities that Microsoft later dubbed Payroll Pirates. Their method was straightforward and devastatingly effective: use phishing emails to steal employee credentials, enter the organisation’s Workday HR platform through its SSO integration with Exchange Online, silently change salary payment settings, and redirect employees’ wages to attacker-controlled bank accounts all without exploiting a single technical vulnerability in Workday itself.

The attack chain was a direct exploitation of SaaS integration trust. Attacker’s harvested employee’s credentials and MFA code. That single point of entry gave attacker’s access to Exchange Online which, via SSO, automatically unlocked Workday. Once inside, they created inbox rules to silently delete all Workday warning notifications, then changed the employee’s direct deposit details. Future pay checks routed straight to attacker accounts. Microsoft confirmed at least 11 compromised accounts across three universities, which were then used to send nearly 6,000 further phishing emails across 25 institutions. The attack propagated precisely because the SSO integration between email and HR meant one stolen credential unlocked the entire chain.

What Business Leaders Must Do Now

You do not need to become a cybersecurity expert. But you do need to own this conversation at the leadership level. Five practical priorities stand out:

• Map your integrations. Commission a full audit of every SaaS tool and every integration connecting those including OAuth tokens and API connections that run without human oversight. You cannot protect what you do not know exists.
• Hold your vendors accountable. The Drift breach proved that your supplier’s security failure becomes your crisis within minutes. Build formal security assessments into every vendor relationship and procurement decision.
• Govern SaaS integration access. The Payroll Pirates campaign exploited one ungoverned SSO connection between email and HR. Audit which SaaS tools are linked via SSO or OAuth, what data they can access, and whether those integrations are still necessary. Treat payroll and HR system changes as high-risk financial events requiring additional verification.
• Enforce least privilege. Most integrations are granted broad access at setup and never reviewed again. Audit permissions quarterly. Remove what is not needed. Dormant integrations are open doors.
• Plan for breach, not just prevention. Detection speed determines the damage. The Cloudflare exfiltration took three minutes. Build and test an incident response plan that explicitly covers SaaS integration failures.

Conclusion

The most damaging attacks of 2025 did not break in they logged in. They used stolen tokens to walk through trusted doors. They used a single phishing email to access an entire payroll system through an SSO integration nobody was watching. They exploited the connections between your tools, not the tools themselves.

The organisations that avoided the worst outcomes were the ones with real visibility into which connections existed, who had authorised them, and what access they carried. That visibility starts with leadership asking the right questions.

Your customers trust you with their data. Your employees trust you with their information. Your investors trust you with your resilience. That trust is built or broken in boardrooms and leadership meetings, long before a breach forces the conversation.

Frequently Asked Question: