The Anatomy of a Modern SaaS Breach: A Composite Walk-Through

The popular image of a security breach involves dramatic intrusion, malware, and a network defender racing to contain damage in progress. Real modern SaaS breaches, by contrast, are typically quiet. They unfold over weeks or months, exploit no zero-days, and produce no obvious anomalies in the network telemetry most security teams have invested in. The damage is real, but the texture of the incident is very different from the dramatic version.

The composite walk-through below describes how modern SaaS breaches typically unfold, drawn from patterns common across publicly disclosed incidents. The specifics vary, but the shape is recurrent enough to be useful as a reference.

Stage one: initial credential compromise

The breach begins with credential compromise of a single employee. The vector is rarely sophisticated — phishing, credential reuse from an unrelated breach, or a session hijack via an infostealer on a personal device. The compromised account is often a relatively junior employee whose credentials would not, on their own, provide access to materially sensitive data.

Multi-factor authentication may or may not be enrolled on the account. Where it is, attackers increasingly bypass it through real-time phishing kits that proxy MFA prompts, or through push-fatigue tactics that exploit the human at the end of the authentication chain. The 2025 Verizon DBIR documents the continued prevalence of credential-based initial access despite the broad availability of MFA.

Stage two: OAuth-based persistence

Once the attacker has interactive access, they routinely establish OAuth-based persistence by authorizing a malicious application to read mail, files, and calendars on behalf of the compromised user. The application may be one they previously registered with a major identity provider, often under an innocuous name. The OAuth consent flow runs to completion, the access token is issued, and the attacker now has persistent access to the user's data that survives password reset and session revocation.

This persistence mechanism is documented as a specific technique in the MITRE ATT&CK framework. It is also one of the most common detection failures in modern incident response, because the OAuth grant is a legitimate-looking transaction that does not trigger any of the alerts a security team is typically watching.

Stage three: reconnaissance and lateral expansion

With persistence established, the attacker reads through the compromised mailbox to understand the environment. The mail tends to reveal the SaaS applications the organization uses, the names of more senior people, and the workflows the team operates. From this reconnaissance, the attacker identifies higher-value targets — typically people with broader access to financial systems, source code, customer data, or executive communications.

Lateral expansion in modern SaaS breaches rarely involves the network-layer movements familiar from older incident narratives. The attacker simply uses the compromised identity to send legitimate-looking internal messages, gradually compromising additional credentials through highly contextualized phishing. The compromise spreads horizontally across the identity graph.

Stage four: data exfiltration

Data exfiltration in modern SaaS breaches is typically pull-based rather than push-based. The attacker downloads data through the legitimate SaaS APIs the compromised accounts have access to. From the SaaS vendor's perspective, the traffic is indistinguishable from normal use. Egress controls on the customer's network see nothing because the data is being pulled directly from the SaaS vendor's cloud.

The duration of the exfiltration phase varies widely. In some incidents the attacker is aggressive and extracts gigabytes of data within days. In others — particularly state-aligned actors — the extraction continues at a deliberate pace for months. The IBM Cost of a Data Breach Report consistently identifies long-running incidents as substantially more expensive than rapid ones.

Stage five: detection (eventually)

Detection in modern SaaS breaches frequently comes from outside the affected organization — a vendor noticing unusual traffic patterns, law enforcement reporting an external data dump, a customer alerting to suspicious correspondence. Internal detection, when it occurs, typically comes from identity-layer anomalies rather than network or endpoint signals. An unusual OAuth grant, a previously-unseen federation trust, or a credential being used from an unexpected geography is more likely to surface the incident than any network-based control.

What the composite implies

The recurring shape of these incidents implies a specific set of priorities. Continuous identity and OAuth visibility is more consequential than network-layer detection for a meaningful share of modern incidents. A broader analysis of SaaS breaches as identity failures develops this argument in more detail. The identity supply chain piece describes the structural fix.

From an operational perspective, the priority recommendations are: continuous OAuth grant monitoring, automated revocation workflows for unusual grants, and discovery of identities outside the primary IdP that may be involved in lateral expansion. Waldo Security's SaaS Discovery addresses these priorities directly.

For an analysis of the OAuth grants and identity-side exposures currently present in your environment, a working demonstration is available on request.