Customers
Why Mitiga
Request a DemoEmergency Assistance
Home
»
Blog Main

As organizations increasingly adopt cloud services and Software as a Service (SaaS) applications, threat actors are evolving their tactics to exploit vulnerabilities in these environments. Attacks targeting cloud infrastructures, identity management systems, and SaaS platforms have become more sophisticated, making it imperative for businesses to understand and mitigate these threats.

In this article, we'll explore five common tactics used by threat actors in cloud, identity, and SaaS attacks, and provide recommendations on how to defend against them.

1. Phishing Attacks Targeting Cloud Credentials

Overview:

Phishing remains one of the most prevalent methods attackers use to compromise user credentials. By sending deceptive emails that mimic legitimate cloud service providers or SaaS applications, attackers trick users into revealing their login information.

Example:

An employee receives an email that appears to be from Microsoft Office 365, prompting them to update their password due to "suspicious activity." The link leads to a fake login page, and when the employee enters their credentials, the attackers gain access to the company's cloud services.

Recommendations to Combat Phishing

  • Implement Email Security Solutions: Use advanced email filtering to detect and block phishing emails before they reach users.
  • Enable Multi-Factor Authentication (MFA): Require MFA for all cloud and SaaS accounts to add an extra layer of security even if credentials are compromised.
  • Conduct Security Awareness Training: Regularly educate employees on how to recognize phishing attempts and report suspicious emails.

2. Exploitation of Cloud Misconfigurations

Overview:

Misconfigurations in cloud environments, such as improperly secured storage buckets or open ports, provide easy entry points for attackers. These vulnerabilities often occur due to the complexity of cloud settings and lack of proper oversight.

Example:

A company inadvertently leaves an Amazon S3 bucket containing sensitive customer data publicly accessible. Attackers scan for such misconfigurations, find the exposed bucket, and download the data.

Recommendations to Prevent Misconfigurations

  • Regular Audits and Assessments: Conduct periodic reviews of cloud configurations to ensure they comply with security best practices.
  • Use Cloud Security Posture Management (CSPM) Tools: Automate the detection and remediation of misconfigurations across cloud environments.
  • Implement the Principle of Least Privilege: Ensure that users and services have only the necessary permissions required for their roles.
  • Adopt Infrastructure as Code (IaC): Use code to manage cloud configurations, enabling version control and reducing human error.

3. Credential Stuffing Attacks

Overview:

Credential stuffing involves attackers using lists of compromised usernames and passwords from previous breaches to attempt unauthorized access to accounts on different platforms. Since many users reuse passwords, this tactic can be highly effective.

Example:

Attackers use credentials obtained from a data breach of a popular social media site to attempt logins on various SaaS platforms. If employees have reused passwords, attackers can gain access to corporate accounts.

Recommendations to Defend Against Credential Stuffing

  • Enforce Strong Password Policies: Require the use of unique, complex passwords and discourage password reuse.
  • Implement Multi-Factor Authentication (MFA): MFA significantly reduces the risk posed by compromised credentials.
  • Monitor for Unusual Login Activity: Use analytics to detect and alert on suspicious login attempts, such as multiple failed logins or logins from unusual locations.

4. Abuse of OAuth Tokens and API Keys

Overview:

Attackers exploit vulnerabilities in authentication mechanisms like OAuth tokens and API keys to gain unauthorized access to cloud services and SaaS applications. These tokens and keys can be leaked through code repositories or intercepted if not properly secured.

Example:

A developer accidentally commits code containing API keys to a public GitHub repository. Attackers find the keys and use them to access the company's cloud resources, manipulating data and services.

Recommendations to Secure Tokens and API Keys

  • Never Hard-Code Credentials: Avoid embedding tokens or keys in code; use secure methods to store and retrieve them.
  • Implement Access Controls: Restrict the permissions associated with tokens and keys to the minimum necessary.
  • Regularly Rotate Keys and Tokens: Change API keys and tokens periodically to limit the window of opportunity for attackers.
  • Monitor and Audit Usage: Keep track of when and how tokens and keys are used and set up alerts for unusual activity.

5. Supply Chain Attacks on SaaS Applications

Overview:

Supply chain attacks involve compromising a third-party service or software that an organization relies on. In the context of SaaS, attackers target vendors to infiltrate their customers' systems.

Example:

Attackers inject malicious code into a software update from a SaaS provider. When the provider's customers apply the update, the malware spreads into their environments, allowing attackers to exfiltrate data or disrupt services.

Recommendations to Mitigate Supply Chain Risks

  • Assess Vendor Security: Perform due diligence on SaaS providers to ensure they follow robust security practices.
  • Use Application Whitelisting and Code Signing Verification: Only allow approved applications and verify the authenticity of software updates.
  • Stay Informed About Threats: Keep up-to-date with security advisories related to your vendors and apply patches promptly.

Conclusion: Combatting Common Threat Actor Tactics in the Cloud

Understanding these common threat actor tactics is the first step in strengthening your organization's security posture. By implementing the recommended measures, businesses can significantly reduce their risk of falling victim to these attacks.

As cloud services and SaaS applications continue to play a pivotal role in modern operations, proactive security strategies are essential. Regular training, robust authentication mechanisms, vigilant monitoring, and secure coding practices are key components of an effective defense.

An effective starting point can be conducting an annual tabletop exercise, which allows you to understand where your team can improve in cases of incident preparedness and response. Download your tabletop exercise template today or get in touch with a Mitiga expert for more information.  

LAST UPDATED:

May 14, 2025

Don't miss these stories:

Why Visibility Drives Everything in Modern Cybersecurity with Sevco’s Greg Fitzgerald

In this episode of Mitiga Mic, Brian Contos sits down with Greg Fitzgerald, co-founder of Sevco Security, for a candid conversation on the real state of asset visibility, prioritization, and the evolving challenges facing security teams. With nearly three decades in the industry, Fitzgerald brings perspective on how cybersecurity has shifted from endpoint tools to orchestration-wide awareness. And why that shift is critical for cloud, SaaS, AI, and identity defense. Watch the episode or read the full transcript below.

How Threat Actors Used Salesforce Data Loader for Covert API Exfiltration

In recent weeks, a sophisticated threat group has targeted companies using Salesforce’s SaaS platform with a campaign focused on abusing legitimate tools for illicit data theft. Mitiga’s Threat Hunting & Incident Response team, part of Mitiga Labs, investigated one such case and discovered that a compromised Salesforce account was used in conjunction with a “Salesforce Data Loader” application, a legitimate bulk data tool, to facilitate large-scale data exfiltration of sensitive customer data.

God-Mode in the Shadows: When Security Tools and Excessive Permissions Become Cloud Security Risks

By the time the alarms go off, it’s often too late. A trusted third-party security tool, one that promised to protect your cloud and SaaS environments, has been operating with unchecked ‘god-mode’ privileges. These tools, usually classified as SaaS Security Posture Management (SSPM) or Data Security Posture Management (DSPM), have been granted near-unrestricted access to your data, configurations, and secrets.

How AI Is Transforming Cybersecurity: Detection, Response & Threat Evolution with Mitiga’s Ofer Maor

In this episode of Mitiga Mic, Brian Contos, Field CISO at Mitiga, sits down once again with Ofer Maor, CTO and Co-founder, to break down one of today’s most urgent cybersecurity challenges: the intersection of Artificial Intelligence (AI) and Detection & Response. From the Automated SOC to AI-powered attackers and cloud-based AI infrastructure threats, Ofer outlines the three pillars of AI-DR (AI Detection and Response) and what organizations need to know now and in the near future.

Meet Mitiga in Las Vegas at Black Hat, DEF CON, and BSides

From August 4 to 11, Mitiga will be on the ground in Las Vegas for Black Hat USA, DEF CON, and BSides Las Vegas. If you’re responsible for cloud security, SaaS threat detection, or incident response, this is your opportunity to connect directly with our team.

Why Wi-Fi Isn’t Enough: Joseph Salazar on Wireless Airspace Security

In this episode of Mitiga Mic, we sit down with cybersecurity veteran Joseph Salazar, now with Bastille Networks, to uncover the vast and often invisible world of wireless attack surfaces. From Bluetooth-enabled coffee mugs and smart thermostats to malicious USB cables that launch attacks from parking lots, Joseph walks us through real-world threats that operate outside your firewall and beyond traditional security tools.