2025 continues with (another) big data breach. This time, it is a lot of big companies, including Google and Cloudflare. Of course, we are talking about supply chain risks following the (continuing) fallout from the Salesloft breach. The attacker uses a third-party tool to get past security. While we have seen a lot of supply chain attacks since 2020. Including spectacular ones like the 2020 one, where the attackers were able to break into various US government departments, including the Treasury Department. While SaaS adoption has a lot of plus points, it also contains vulnerabilities that can be exploited by attackers. To put it bluntly, you know your systems are secure. But can you say the same about the third-party systems integrated into your network environment?
Risks to watch out for
These are the primary risks associated with SaaS deployments:
| Category | Risk | Cause / Contributing Factors |
| Identity & Access Risks | Account Takeover (ATO) | Weak/missing MFA, MFA fatigue, credential reuse, token/session hijacking. |
| Privilege Creep | Access not revoked for entities such as ex-employees, contractors, or vendors after their association or task has ended. | |
| Insider Threats | Malicious or negligent insiders using legitimate SaaS credentials. | |
| Data Security Risks | Data Leakage / Oversharing | Misconfigured sharing settings and poor role-based access control. |
| Ransomware in SaaS | Stolen credentials used to encrypt/exfiltrate data in SaaS apps (e.g., M365, Google Workspace). | |
| Shadow AI (GenAI SaaS use) | Employees using unapproved GenAI tools, risking data exfiltration or regulatory breaches. | |
| Application & Vendor Risks | Shadow IT (unsanctioned apps) | Employees procuring SaaS apps without IT/security approval; lack of centralized monitoring. |
| Third-Party / Supply Chain Exposure | SaaS apps integrating with vendors, plugins, and partners without thorough vetting; over-permissioned API tokens. | |
| API Abuse | Overly permissive integrations, unsecured APIs, insufficient monitoring of third-party access. | |
| Governance & Compliance Risks | Visibility Gaps | Lack of SaaS Security Posture Management (SSPM) tools; incomplete SaaS asset inventory. |
| Insecure SaaS Configurations | Default security settings left unchanged (no MFA, weak password policies). | |
| Compliance Gaps (GDPR, HIPAA, PCI) | Vendors failing to meet regional compliance. | |
| Data Residency / Sovereignty Risks | Storing data in jurisdictions with conflicting or weak privacy laws. |
QKS Group’s senior security analyst Sanket Kadam explains, “The fundamental challenge lies in the blind trust extended to third-party vendors and connectors, many of which hold privileged but invisible access through APIs, SSO, and admin rights. Compromising just one integration can cascade into thousands of customer environments, as seen with Salesloft and past incidents like SolarWinds.”
Uniquely dangerous
We have seen the risks; now let us see what makes supply chain attacks unique. The first is the scale, as we have seen in the cases of Salesloft Drift and the SolarWinds attack in 2020. In simpler words, the bad actors just have to compromise a single vendor, SaaS provider, or software update to expand into thousands of customer environments. To put it into numbers, the Salesloft attack has so far claimed victims from fourteen companies, and the list is still growing. This puts companies that did nothing wrong except use the compromised asset in the firing line. The second issue is more related to humans: trust. Enterprises usually trust their vendors, partners, and SaaS providers. Attackers exploit this trust channel to bypass defenses and push malicious content. The third point is about vendor risk. Just how many companies have we seen being used as an attack vector in 2025 alone? In addition, SaaS vendors often have deep but invisible access, such as APIs, SSO, and admin rights. This access is hard to inventory and monitor, making blind spots inevitable. All these factors make supply chain attacks unique.
Attack evolution and fallout:
As we have seen in many previous incidents, the bad actors are using third-party software updates as attack vectors. The updates are genuine, but they also contain something extra that will blow up in the victims’ faces. The attackers are increasingly focusing on open-source libraries and SaaS connectors. As stated above, one compromised asset can allow them to spread the load exponentially. This is also the reason why providers like MSPs and MSSPs are becoming a favorite target. All the bad actors need to do is compromise one service to land multiple enterprise victims. The fallout of just one of such incidents includes disruption of the victims’ operations, invites regulatory scrutiny, and damages the victims’ reputations.
The way out:
Sanket warns, “Organizations must enforce zero trust not just internally but across their SaaS ecosystem, continuously monitor third-party entitlements, and demand deeper visibility through tools like SSPM and SBOMs. Without this shift, the attack surface will continue to expand faster than defenses can adapt.”
Now that we have seen the problems, let us discuss the solutions.
- Continuous assessments: Instead of one-and-done vendor risk vetting, make it a continuous process. Continuous monitoring is also a better option than security questionnaires.
- Obtain SBOMs: Having a software bill of materials is essential for gaining more visibility into software dependencies.
- Zero-trust adoption: Adopt zero-trust across the enterprise and extend thye access to third-party integrations and APIs.
- Contractual controls: Ensure that agreements with vendors include comprehensive disclosure requirements and security SLAs.
- Extensive wargaming: This strategy will help to form comprehensive mitigation plans in case of an incident.
Final word:
Your supply chain is no longer an external asset; it is now an extension of your attack surface. So just like any threat landscape, trust is a liability. It is imperative to move to trust by verification, rather than trust by default. In a hyperconnected ecosystem, such as SaaS environments, you are as safe as the vendor with the weakest security.