The Exploding Attack Surface: How SaaS Sprawl and Shadow IT Are Creating Enterprise Breaches

The SaaS Explosion Nobody Is Securing

The modern enterprise runs on SaaS. According to Zylo’s 2025 SaaS Management Index, the seventh edition of the industry’s longest-running SaaS spend and adoption report, the average company now operates 275 SaaS applications in its portfolio. Large enterprises with 10,000 or more employees average 660 distinct SaaS applications and spend roughly $284 million annually on SaaS alone. Every one of these applications stores corporate data, authenticates employees, and connects to other systems through APIs and integrations. And the uncomfortable reality is that IT security teams lack visibility into a substantial share of them.

Industry research consistently estimates that up to 65% of SaaS applications in enterprise environments are unsanctioned, adopted without IT approval, security review, or governance. A marketing manager signs up for a new design tool using their corporate email and Google OAuth. A sales team adopts a pipeline management tool and feeds it the entire customer database. An engineering team spins up a project management platform and connects it to GitHub, Slack, and Jira. Gartner estimates that 41% of employees acquire, modify, or create technology their IT departments are unaware of, a figure projected to reach 75% by 2027. Each of these actions, individually rational and productivity-enhancing, collectively creates an attack surface that no CISO has fully mapped.

This is not a theoretical risk. SaaS misconfiguration and shadow IT have become direct breach vectors in some of the highest-profile cybersecurity incidents of recent years. Obsidian Security’s 2025 SaaS Security Threat Report documented a 300% year-over-year surge in SaaS breaches, and AppOmni’s 2025 State of SaaS Security report found that 75% of organizations experienced a SaaS security incident within the past twelve months. The Microsoft Midnight Blizzard attack in late 2023 demonstrated how a single compromised OAuth application can cascade into a catastrophic breach. The emerging SaaS Security Posture Management (SSPM) market exists precisely because the traditional security perimeter has evaporated, replaced by a constellation of cloud applications that are simultaneously essential and ungovernable.

---

The Midnight Blizzard Case: When OAuth Becomes a Weapon

In January 2024, Microsoft disclosed that Midnight Blizzard (formerly Nobelium), the Russian state-sponsored threat actor behind the SolarWinds attack, had breached Microsoft’s corporate systems by compromising a legacy test OAuth application. The attack began in late November 2023. The attack chain was devastatingly simple. The threat actors identified a legacy non-production test tenant account that did not have multi-factor authentication enabled. Through password spraying attacks using residential proxies and a low volume of attempts to evade detection, they gained initial access. They then leveraged the compromised account to identify and exploit a legacy test OAuth application with elevated permissions, ultimately granting themselves the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes.

Microsoft’s security team detected the intrusion on January 12, 2024, and the company publicly disclosed the breach on January 19. The scope expanded as Microsoft discovered that Midnight Blizzard had used the initial access to read emails containing authentication secrets, which were then used to access source code repositories and internal systems. Microsoft’s March 2024 update confirmed that the attackers had accessed email accounts of senior executives and employees in cybersecurity, legal, and other functions, and that stolen email contents were being used to attempt further unauthorized access.

The Midnight Blizzard case is a masterclass in why SaaS security is fundamentally different from infrastructure security. The compromised OAuth application was legitimate. It had been created for testing purposes, was no longer actively used, but remained connected with permissions that nobody had reviewed, and critically, without MFA protection. In a traditional security model, decommissioning a server would remove its access. In the SaaS world, an OAuth token grants persistent access until explicitly revoked, and most organizations have no process or tooling to conduct systematic OAuth permission reviews. Microsoft’s own post-incident analysis acknowledged that the attack exploited legacy applications and accounts that were not well-monitored, a reality in any large organization.

---

The Anatomy of SaaS Sprawl Risk

The risk created by SaaS sprawl operates across four dimensions that compound each other. The first is orphaned accounts: when employees leave an organization or change roles, their accounts in shadow SaaS applications are rarely deprovisioned because IT does not know they exist. AppOmni’s research found that out of the average 256 distinct SaaS-to-SaaS applications in an enterprise environment, roughly 100 are no longer actively used yet retain the ability to access corporate data. Each dormant connection represents a potential entry point that will never trigger an access review.

The second dimension is over-permissioned OAuth tokens. When a SaaS application is connected to corporate systems via OAuth, it typically requests broad permissions. A project management tool might request read/write access to all Google Drive files, full access to Slack channels, and permission to send emails on behalf of the user. According to Nudge Security, the average employee issues 70 OAuth grants, many of which allow ongoing data sharing between SaaS applications and AI tools. Each of these grants represents a persistent API connection that bypasses traditional authentication controls, and the cumulative risk across an enterprise of thousands of employees is staggering.

The third dimension is data sprawl. When employees adopt shadow SaaS applications, they inevitably move corporate data into environments without corporate security controls. Customer lists are uploaded to unauthorized CRM tools. Source code is pasted into AI coding assistants. Financial projections are shared through unsanctioned collaboration platforms. Metomic’s Google Drive Scanner analysis of approximately 6.5 million files found that 40% of Google Drive files contained sensitive data, and 34% of all files scanned had been shared with external contacts outside the company’s domain. Valence Security’s 2024 report found that 94% of external data shares are inactive, meaning no external user is actively accessing them, yet the access permissions remain open indefinitely.

The fourth dimension is SaaS-to-SaaS integration risk. Modern SaaS applications do not exist in isolation; they connect to each other through APIs, creating complex integration chains. AppOmni’s research documented that the average enterprise SaaS environment contains over 256 distinct SaaS-to-SaaS application connections, with an average of 900 user-to-application connections. Approximately half of these integrations were connected directly by end users, not IT administrators. A compromise of any single application in the chain can cascade through connected systems, creating a web of trust relationships that few organizations have mapped, let alone secured.

---

SSPM: The Emerging Defense Layer

SaaS Security Posture Management (SSPM) has emerged as the market response to SaaS sprawl risk. SSPM platforms connect to an organization’s SaaS applications via API, continuously scanning for misconfigurations, over-permissioned users, suspicious access patterns, and compliance violations. According to Frost & Sullivan, the SSPM market was valued at approximately $484 million in 2025 and is projected to exceed $3.5 billion by 2030, growing at a 48.7% compound annual growth rate, driven by the same CISOs who adopted cloud security posture management for infrastructure and are now applying the same logic to their SaaS layer.

Wing Security, an Israeli SSPM startup that raised $26 million in combined seed and Series A funding, exemplifies the category. Wing’s platform discovers all SaaS applications in use across an organization, including shadow IT, by analyzing SSO logs, email records, browser extensions, and OAuth grants. It then assesses the security posture of each application, identifies risky configurations, and provides remediation workflows. The platform’s discovery capability is its critical differentiator: you cannot secure what you cannot see.

AppOmni, which has raised $123 million in total funding through its Series C round led by Thoma Bravo, focuses specifically on the configuration and access management of sanctioned SaaS applications. Where Wing excels at shadow IT discovery, AppOmni provides deep security posture assessment for applications like Salesforce, Workday, ServiceNow, and Microsoft 365, where misconfiguration risk is high and the security implications of settings changes are complex. Adaptive Shield, acquired by CrowdStrike in November 2024 in a reported $300 million deal, extends CrowdStrike’s Falcon platform with unified SaaS security posture management. Nudge Security, Obsidian Security (which grew nearly 1,000% between 2021 and 2024 per Deloitte’s Fast 500), and Valence Security round out a competitive market that is rapidly being integrated into broader security platform plays.

---

Building a SaaS Security Program

Organizations facing SaaS sprawl need a structured approach that balances security with the productivity benefits that drive SaaS adoption in the first place. The first step is discovery: deploy an SSPM tool or conduct a manual audit to catalog every SaaS application in use, every OAuth grant, and every user account. Wing Security offers a free discovery scan that many organizations use as a starting point. The results are invariably eye-opening; most CISOs discover two to three times more applications than they expected.

The second step is governance framework establishment. This does not mean banning shadow IT, which is both futile and counterproductive. Instead, create a tiered approval process: Tier 1 applications handling sensitive data or connecting to core systems require full security review. Tier 2 departmental tools with limited data access require lightweight assessment. Tier 3 individual productivity tools with no corporate data require only registration. This tiered approach acknowledges reality while establishing visibility and control where it matters most.

The third step is continuous monitoring and hygiene. Implement automated OAuth permission reviews on a quarterly cycle, revoking grants for applications no longer in use. Integrate SaaS user provisioning and deprovisioning with HR systems so that employee departures trigger automatic account suspension across all known SaaS applications. Configure SSPM alerts for high-risk configuration changes in critical SaaS platforms. Conduct annual SaaS rationalization reviews to consolidate overlapping applications and reduce the total attack surface. With attackers capable of compromising and exfiltrating SaaS data in as little as nine minutes, according to Obsidian Security, real-time monitoring is no longer optional.

The lesson of Midnight Blizzard, and of every SaaS-related breach since, is that SaaS security cannot be an afterthought bolted on after adoption. It must be a continuous process woven into the fabric of how organizations adopt, manage, and govern their ever-expanding SaaS portfolios.

---

---

Sources & Further Reading

• Zylo 2025 SaaS Management Index
• Microsoft Midnight Blizzard Guidance for Responders
• Microsoft Update on Midnight Blizzard Actions (March 2024)
• AppOmni SaaS-to-SaaS Security Research
• AppOmni State of SaaS Security Report 2025
• Obsidian Security 2025 SaaS Security Threat Report
• Valence Security 2024 State of SaaS Security Report
• CrowdStrike Acquisition of Adaptive Shield
• Metomic Google Drive Sensitive Data Findings
• Nudge Security OAuth Risk Management
• Frost & Sullivan SSPM Market Forecast 2025-2030
• Gartner Shadow IT Statistics via Zluri