Introduction


In today’s digital workspace, SaaS applications like Slack, Google Drive, and Microsoft Teams have become the backbone of business communication and collaboration. These platforms are often filled with sensitive documents, critical data, and intellectual property—making them an attractive target for malicious actors. Yet, many organizations operate under the assumption that if permissions are properly configured and external access is restricted, their data is safe. But is this mindset dangerously outdated? Can strong access controls alone prevent insider threats or mitigate the risks of corporate espionage?

The recent incident involving Rippling and Deel challenges this perception. In November 2024, Rippling alleged that a user within their organization engaged in suspicious activity, frequently searching for and accessing sensitive files within their Slack environment. Rippling claims this activity was part of a corporate espionage effort orchestrated by Deel, leading to a high-stakes legal battle.

This incident underscores the growing threat posed by insiders—whether acting maliciously or negligently—and highlights the vulnerabilities that come with relying heavily on productivity SaaS platforms. In this article, we’ll explore the security implications of such platforms, analyze the gaps that allowed this incident to occur, and offer actionable strategies to help organizations safeguard their sensitive information.

Understanding the Rippling Incident

In November 2024, Rippling found itself at the center of a high-profile corporate espionage case. The company alleged that an employee, whose employment started a year previously, had engaged in suspicious activity, targeting sensitive information stored within its Slack environment. According to the claims, the user repeatedly searched and accessed critical internal documents multiple times a day, causing the security team to be alerted.

In the early part of November, Rippling’s security monitoring systems identified unusual search patterns in their internal Slack Workspace. The user in question, who has not been identified publicly, appeared to be conducting regular searches for highly sensitive files, that included proprietary and client information. Once identified, internal investigations were conducted into the behavior and actions for the user. The pattern of behavior identified by the internal teams suggested that there was an ulterior motive for the activity than the normal actions that were required by the user's role. The pattern of searches was described as methodical and focused, with particular attention given to the files that could be leveraged for competitive gain.

With this information in hand, Rippling escalated their concerns, leading to a forensic analysis that suggested that there had been an exfiltration of data. Following the discovery of these actions, Rippling began legal proceedings against Deel, who are a direct competitor. The allegation is of corporate espionage campaign by leveraging the insider to gather sensitive information.
This incident highlights a growing security concern: the risk of insider threats within SaaS environments, especially ones that could hold an array of information. As organizations increasingly rely on SaaS platforms for easier collaboration, they may unknowingly expose themselves to significant data security risks.

Productivity SaaS Applications and Associated Risk


SaaS platforms (such as SharePoint, Slack, Google Drive, Dropbox, etc.) function as central hubs that have transformed the way businesses collaborate, making it easier than ever to share ideas, documents and sensitive information. However, this convenience comes at a cost: these platforms also introduce new layers of security risk that many organizations underestimate.

Whilst centralization improves accessibility and collaboration, it also creates a single point of failure. If an attacker, internal or external, manages to gain access to these platforms, they can potentially access a treasure trove of sensitive information. Once inside, the attackers often leverage legitimate user credentials to move laterally within the systems, making it difficult to identify the activity as malicious.

Organizations often assume that setting strict permissions and limiting external access is enough to safeguard sensitive data. But this mindset is outdated and dangerous. Permissions alone can’t stop authorized users from misusing access—and excessive permissions, granted for convenience, often leave critical information wide open. In the Rippling case, access controls were in place, yet the insider still managed to search for and retrieve sensitive data undetected.

External attacks leave telltale signs—failed logins, suspicious IPs, or brute-force attempts. Insiders? They operate from within, making them inherently harder to detect. Authorized users can comb through sensitive data without raising alarms unless granular controls or DLP (Data Loss Prevention) measures are in place. Worse, most SaaS platforms lack the real-time anomaly detection needed to flag abnormal user behavior as it happens.

Audit logs capture surface-level events like file access or login timestamps, but they lack context. They can’t tell if a legitimate search is part of normal operations—or a prelude to data theft. Without granular insights into how users interact with sensitive information, incident response becomes reactive and slow—often catching threats only after the damage is done.

These vulnerabilities in the basic functionality of SaaS platforms creates a perfect storm for insider threats, where overly permissive access, lack of real-time monitoring, and poor behavioral analysis combine to leave organizations exposed. Without a proactive solution that allows a single pane of glass for activities and behavioral analysis, organizations could leave themselves vulnerable to both accidental and deliberate data exposure.

Hunting Sharks


To mitigate the risks that have been presented above, security teams need the tools to be able to run proactive threat hunts to catch threats in the act. Since insiders are accessing applications with legitimate access, it is difficult to identify them outright. It is recommended to identify those situations before they occur.

Detect Excessive Activity Within Slack

One of the more obvious situations that can be hunted for is looking for mass data downloads for users who are known to be leaving the organization. Below is a code snippet that could help identify anomalous activity in Slack.

def detect_excessive_activity(logs, action_type='file_search', threshold=10):
	action_logs = logs[logs['action'] == action_type]
    
    # Group by day and count actions
    action_counts = action_logs.groupby(action_logs['date_time'].dt.date).size()
    
    # Flag days with excessive activity
    high_activity_days = action_counts[action_counts > threshold]
    	if not high_activity_days.empty:
        	print(f"⚠️ Detected {len(high_activity_days)} days with excessive '{action_type}' activity.")       		print(high_activity_days)
        else:
        	print(f"✅ No unusual '{action_type}' activity detected.")

This code snippet will check for file searches per day above the pre-established threshold. The threshold can be adjusted to the needs and activity within your organization. Whilst this is generalized, it could be used as a method to focus in on certain days that could contain similar activity that we see in this blog.

Mass Downloads from SharePoint by a Single User

SharePoint is one of the most used storage SaaS platforms that comes as a package with Office 365 and Microsoft Teams. One aspect of the anomalous activity that attackers may conduct will be to exfiltrate large amounts of data, the following code snippet will detect a large download and the user behind the action.

def detect_mass_downloads(logs, threshold=50):
	downloads_per_user = logs.groupby('user').size()
    suspicious_users = downloads_per_user[downloads_per_user > threshold]
    
    if not suspicious_users.empty:
    	print("⚠️ Mass file downloads detected by the following users:")
         print(suspicious_users)
    else:
    	print("✅ No unusual file download activity detected.")
        
# Run download detection
detect_mass_downloads(file_logs, threshold=50)

Off Hours Access for Users (SharePoint)

Legitimate users rarely access sensitive documents at 3 AM. Attackers are not known for sticking to the 9 to 5 Dolly Parton suggestion, meaning that if they are accessing files at strange times that does not comply with their normal behavior, this could be an indicator of malicious activity. This code identifies file access that occurs outside normal business hours, a common indicator of insider malfeasance:

def detect_off_hours_access(logs, start_hour=9, end_hour=18):
	logs['hour'] = logs['modified_time'].dt.hour
    off_hours_logs = logs[(logs['hour'] < start_hour) | (logs['hour'] > end_hour)]
    
    if not off_hours_logs.empty:
    	print("⚠️ Suspicious file access outside business hours detected:")
        print(off_hours_logs[['user', 'file_name', 'modified_time']])
    else:
    	print("✅ No off-hours file access detected.")
        
# Run off-hours access check
detect_off_hours_access(file_logs, start_hour=9, end_hour=18)

Searching for Sensitive Keywords (SharePoint)

In addition, we have seen throughout this case and blog that attackers will often recon an environment first, sometimes for months to see if they can identify sensitive files to exfiltrate or otherwise gain access to. The following code snippet can identify if users have frequently surpassed the threshold for searches containing sensitive keywords. These key words should be edited for your own needs and usages.

def detect_keyword_searches(logs, keywords, threshold=5):
	search_logs = logs[logs['file_name'].str.contains('|'.join(keywords), case=False, na=False)]

	# Group by user and count occurrences
	keyword_searches = search_logs.groupby('user').size()
    suspicious_users = keyword_searches[keyword_searches > threshold]
    
    if not suspicious_users.empty:
    	print("⚠️ Users searching for sensitive files excessively:")
        print(suspicious_users)
    else:
    	print("✅ No suspicious keyword search activity found.")
        
# Define sensitive keywords to monitor
sensitive_keywords = ['confidential', 'financials', 'acquisition', 'salary']

# Run keyword search detection
detect_keyword_searches(file_logs, sensitive_keywords, threshold=5)

Detect Mass Report Export in Salesforce

Finally, Salesforce has been directly affected by attacks against the SaaS platform, so it would not be strange for the attackers to attempt to use the tactics mentioned in this blog. The following code snippets will identify if a user is excessively exporting data from your salesforce environment, however, these should be compared to normal activity from the users.

def detect_mass_downloads(logs, threshold=50):
	downloads_per_user = logs.groupby('user').size()
    suspicious_users = downloads_per_user[downloads_per_user > threshold]
    
    if not suspicious_users.empty:
    	print("⚠️ Mass file downloads detected by the following users:")
        print(suspicious_users)
    else:
    	print("✅ No unusual file download activity detected.")

Conclusion


Saas platforms like Slack, SharePoint, and Salesforce have revolutionized business collaboration, but they have also opened the door to new types of attacks that traditional defenses overlook. Insider threats (whether malicious or accidental) pose a unique challenge because they operate with legitimate access, blending seamlessly into normal activity.

Without proactive monitoring and behavioral analysis, organizations risk missing these subtle indicators – allowing threats to escalate undetected. Integrating these detection techniques into a single-pan-of-glass monitoring system ensures that security teams can respond before data is compromised.

SaaS security is not just about setting permissions and hoping for the best – it’s about proactively hunting for threats within the ecosystem. Organizations that priorities continuous monitoring, real-time anomaly detection and contextual analysis will not only mitigate insider risks but also gain the upper hand in defending the most valuable assets.

LAST UPDATED:

June 23, 2025

Don't miss these stories:

Why Visibility Drives Everything in Modern Cybersecurity with Sevco’s Greg Fitzgerald

In this episode of Mitiga Mic, Brian Contos sits down with Greg Fitzgerald, co-founder of Sevco Security, for a candid conversation on the real state of asset visibility, prioritization, and the evolving challenges facing security teams. With nearly three decades in the industry, Fitzgerald brings perspective on how cybersecurity has shifted from endpoint tools to orchestration-wide awareness. And why that shift is critical for cloud, SaaS, AI, and identity defense. Watch the episode or read the full transcript below.

How Threat Actors Used Salesforce Data Loader for Covert API Exfiltration

In recent weeks, a sophisticated threat group has targeted companies using Salesforce’s SaaS platform with a campaign focused on abusing legitimate tools for illicit data theft. Mitiga’s Threat Hunting & Incident Response team, part of Mitiga Labs, investigated one such case and discovered that a compromised Salesforce account was used in conjunction with a “Salesforce Data Loader” application, a legitimate bulk data tool, to facilitate large-scale data exfiltration of sensitive customer data.

God-Mode in the Shadows: When Security Tools and Excessive Permissions Become Cloud Security Risks

By the time the alarms go off, it’s often too late. A trusted third-party security tool, one that promised to protect your cloud and SaaS environments, has been operating with unchecked ‘god-mode’ privileges. These tools, usually classified as SaaS Security Posture Management (SSPM) or Data Security Posture Management (DSPM), have been granted near-unrestricted access to your data, configurations, and secrets.

How AI Is Transforming Cybersecurity: Detection, Response & Threat Evolution with Mitiga’s Ofer Maor

In this episode of Mitiga Mic, Brian Contos, Field CISO at Mitiga, sits down once again with Ofer Maor, CTO and Co-founder, to break down one of today’s most urgent cybersecurity challenges: the intersection of Artificial Intelligence (AI) and Detection & Response. From the Automated SOC to AI-powered attackers and cloud-based AI infrastructure threats, Ofer outlines the three pillars of AI-DR (AI Detection and Response) and what organizations need to know now and in the near future.

Meet Mitiga in Las Vegas at Black Hat, DEF CON, and BSides

From August 4 to 11, Mitiga will be on the ground in Las Vegas for Black Hat USA, DEF CON, and BSides Las Vegas. If you’re responsible for cloud security, SaaS threat detection, or incident response, this is your opportunity to connect directly with our team.

Why Wi-Fi Isn’t Enough: Joseph Salazar on Wireless Airspace Security

In this episode of Mitiga Mic, we sit down with cybersecurity veteran Joseph Salazar, now with Bastille Networks, to uncover the vast and often invisible world of wireless attack surfaces. From Bluetooth-enabled coffee mugs and smart thermostats to malicious USB cables that launch attacks from parking lots, Joseph walks us through real-world threats that operate outside your firewall and beyond traditional security tools.