Share This:

Guest User Accounts that SaaS application providers make available to organizations, are becoming a major security issue that managed service providers (MSPs) are arguably in the best position to resolve.

A report published this week by SaaS Alerts, a provider of a platform that MSPs use to secure software-as-a-service (SaaS) applications, finds that a full 42 percent of more than 129,000 monitored SaaS accounts are Guest User Accounts that many organizations forget to turn off.

Cybercriminals now routinely employ stolen credentials to access those accounts to both exfiltrate data and distribute malware via what appears to be just another trusted user of that SaaS application.

OAuth may provide opportunities for cybercriminals

More troubling still, organizations that make use of the OAuth protocol to provide access to multiple applications, may find that files loaded with malware are being shared across disparate applications. This makes it easier for cybercriminals to deliver malware when they use a fraudulent account registered with an OAuth provider. According to the report, the most widely used SaaS platforms are Office 365 and Google Workspace, with Zoom, Google Chrome, Azure VM Managed Backup, OneDrive for Slack, and Avanan email security being the third-party applications most widely integrated with those platforms.


Many organizations assume their data is secure, simply because an application is being maintained by a third-party. However, just like any other cloud service, the responsibility for securing SaaS applications is shared. Once credentials are compromised, a cybercriminal not only gains access to all the data in that application; they also can start to distribute malware via those applications.

Increased awareness from leaders is a must

MSPs that have multiple customers are typically in a better position to identify, and ultimately prevent, this abuse of credentials for Guest User Accounts that result in some clearly anomalous behavior they can track. The biggest challenge is making the leaders of organizations aware of just how easy it is for cybercriminals to compromise SaaS applications using malware to launch, for example, a ransomware attack.

There’s a tendency to assume that the provider of the SaaS application has secured the platform on their behalf when in truth the responsibility for managing credentials lies with the entity consuming those applications.

Shifting focus to the most employed exploits will lead to stronger security

While there’s always a lot of attention paid to the discovery of zero-day vulnerabilities, the simple fact of the matter is cybercriminals prefer to focus their efforts on comparatively low-hanging vulnerabilities that are much easier to exploit. It doesn’t make much sense to go to the trouble of injecting malware into an application when it can just as easily be distributed via a file that looks as innocuous as any other. MSPs that focus on discovery and remediation of the most employed exploits will find that the IT environments they are tasked with protecting will be secure.

There is, of course, no such thing as perfect security. The goal has always been to minimize the risk to the point where it’s tolerable for the average business to function. Ransomware attacks in recent years have, naturally, made achieving that level of security more challenging to maintain but, often with a little help from an MSP most organizations continue to successfully operate.

Photo: smx12 / Shutterstock

Share This:
Mike Vizard

Posted by Mike Vizard

Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike blogs about emerging cloud technology for Smarter MSP.

Leave a reply

Your email address will not be published. Required fields are marked *