Cloud adoption is accelerating quickly, with platforms like Microsoft 365 and Google Workspace serving as the foundation of modern business operations. These tools offer seamless collaboration, flexible access, and scalability. However, they also introduce an increasing number of attack vectors that traditional security measures often fail to catch.
As cybercriminals refine their tactics, IT and security teams must evolve their defenses in parallel. From token-based access abuse to the hidden risks of SaaS sprawl, identifying blind spots is essential for MSPs and IT leaders securing today’s cloud environments.
The Growing Threat of SaaS Sprawl
SaaS sprawl refers to the rapid and often unmanaged growth of software-as-a-service applications within an organization. According to the 2023 BetterCloud State of SaaSOps Report, the average business operates around 130 SaaS applications. Despite efforts to consolidate, usage continues to grow, with an 18 percent increase year over year.
Without centralized visibility and governance, every new application adds a potential vulnerability. When IT teams are unaware of which apps have been authorized or integrated, they cannot assess risk accurately. Some of these unknown apps may have excessive permissions, creating ideal opportunities for exploitation.
Microsoft 365 and Google Workspace Remain High-Value Targets
Due to their widespread use, Microsoft 365 and Google Workspace are frequent targets for threat actors. As of early 2024, Microsoft reported over 400 million paid commercial Office 365 seats, up from 382 million in 2023. Google Workspace currently supports more than 3 billion users worldwide.
These platforms store sensitive business data, financial records, user credentials, and internal communications. If compromised, they can serve as a launching point for phishing attacks, data exfiltration, or lateral movement within the organization.
OAuth Tokens Are Bypassing Traditional Security
Attackers increasingly rely on OAuth and refresh tokens to gain unauthorized access to cloud platforms. Unlike usernames and passwords, these tokens can remain valid even after a password reset. This allows attackers to maintain silent, persistent access for long periods of time.
A well-documented example is the Midnight Blizzard campaign (formerly known as Nobelium), which targeted Microsoft in late 2023. The attack was discovered in January 2024. Threat actors used compromised OAuth applications to bypass multi-factor authentication and avoid detection by standard security tools.
Attacks like this highlight a major gap in many cloud security strategies. Once a malicious token is granted access, most built-in controls fail to identify it as suspicious.
What Native Security Tools Often Miss
Even with their built-in protections, platforms like Microsoft 365 and Google Workspace are not designed to detect every threat. Common blind spots include:
- Abuse of token-based access
- Unauthorized third-party application installations
- Dormant or shadow users with active permissions
- Unusual user behavior across accounts
- Lateral movement between cloud services
According to Gartner’s 2023 Market Guide for Email Security, organizations should evaluate the default security provided by cloud platforms and supplement them with third-party solutions to address more advanced threats.
Why Proactive Security Is Essential
Relying solely on logs, alerts, or user reports is no longer enough. A proactive approach to cloud security should include:
- Ongoing monitoring of token activity and app permissions
- Real-time insight into user behavior
- Correlation between email and SaaS activity
- Automated detection of suspicious API calls and privilege escalation
- Enforced policies across all cloud applications
Detecting and responding to threats before they cause damage is now a core requirement, not a luxury.
Join the Mission: Operation Shieldwall
To support MSPs and IT professionals in strengthening their SaaS and email security posture, BLOKWORX is hosting a live tactical webinar.
Webinar Details
Title: Operation Shieldwall: Fortifying Cloud and SaaS Cyber Defenses
Date: Wednesday, September 24, 2025
Time: 1:00 PM ET
Duration: 1 hour
Presented by: BLOKWORX Cybersecurity Experts
Step into a tactical briefing designed to help you secure your cloud perimeter. Explore the BLOKWORX Email Security strategy and uncover how phishing threats are evolving inside the inbox and beyond. Register here to save your seat.
Final Thoughts
Cloud platforms have reshaped how businesses operate. Along with that transformation comes a new class of security challenges. Token abuse, SaaS sprawl, and cloud misconfigurations are often overlooked until a serious breach brings them to light.
You do not have to wait for that moment. Start securing your cloud environment today and stay ahead of the threats that traditional tools might miss.
References
BetterCloud. (2022, November 16). The 2023 State of SaaSOps report. BetterCloud Monitor. https://www.bettercloud.com/monitor/the-2023-state-of-saasops-report/
Chugh, R., Firstbrook, P., & Hinner, F. (2023, February 13). Market Guide for Email Security. Gartner.
Kass, D. H. (2024, April 18). CISA tells feds to mitigate Microsoft Midnight Blizzard. MSSP Alert. https://www.msspalert.com/news/cisa-tells-feds-to-mitigate-midnight-blizzard-spying
Microsoft. (2024, January 25). Midnight Blizzard: Guidance for responders on nation-state attack. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
Microsoft. (2024, January). Microsoft actions following attack by nation state actor Midnight Blizzard. Microsoft Security Response Center. https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
Microsoft. (2024). FY24 Q3 – Productivity and Business Processes Performance. Microsoft Investor Relations. https://www.microsoft.com/en-us/Investor/earnings/FY-2024-Q3/productivity-and-business-processes-performance
Office 365 for IT Pros. (2024, January 31). Office 365 reaches 400 million users. https://office365itpros.com/2024/01/31/office-365-reaches-400-million/
Patronum. (2025, May 28). Key Google Workspace statistics for 2025. https://www.patronum.io/key-google-workspace-statistics-for-2023
PRNewswire. (2022, November 16). BetterCloud report: SaaS adoption slows amidst application sprawl and shadow IT concerns. https://www.prnewswire.com/news-releases/bettercloud-report-saas-adoption-slows-amidst-application-sprawl-and-shadow-it-concerns-301679909.html
PRNewswire. (2024, July 18). The number of SaaS applications at companies declined for the first time in over a decade. https://www.prnewswire.com/news-releases/the-number-of-saas-applications-at-companies-declined-for-the-first-time-in-over-a-decade-302199899.html
