2022 Shadow SaaS-to-SaaS Integration Report
Valence security- SaaS-to-SaaS-supply-chain-security-Microsoft

SaaS-to-SaaS Third-party Integrations in Microsoft 365

As organizations migrate to Microsoft 365 as their chosen SaaS-based productivity suite, they are looking to leverage pre-built and custom integrations to maximize their Microsoft 365 benefits. Employees can connect their Office 365, Exchange, SharePoint, Teams, etc. with third-party vendors by consenting to third-party apps with OAuth tokens and/or Microsoft AppSource applications. These applications can be used to help from scheduling meetings, optimize their inbox and integrate analysis tools to Microsoft Word, Excel or PowerPoint.

In addition, administrators can configure organizational apps leveraging the Enterprise Applications, App Registrations and the Azure Active Directory App Gallery functionalities that can be configured to access the above Microsoft 365 services and others such as Azure Active Directory using the Microsoft Graph API and other APIs. Lastly, citizen developers can leverage the builtin no/low-code development platforms such as Microsoft Power Platform, Microsoft Power Apps, Microsoft Power Automate and Microsoft Flows to automate business workflows by integrating multiple data sources.

Securing Non-human Microsoft 365 Third-party Integrations

While Microsoft 365 is inherently secure, third-party vendors who have access to it through these methods can be a weak link. Inherently risky or over-privileged OAuth tokens, etc. can be exploited to gain the keys to the kingdom, placing Microsoft 365 customers at risk of data breaches and account exposure.

Supply chain access attacks against Microsoft 365 are not properly covered by existing security approaches such as IdP (Identity Providers), CASB (Cloud Access Security Broker) and SSPM (SaaS Security Posture Management) solutions that focus on human-to-SaaS access controls and neglect the critical growing non-human SaaS-to-SaaS third-party integration layer.

Microsoft 365 Supply Chain Risks

The rising adoption of strong authentication methods such as MFA, reduce the effectiveness of hijacking human user credentials. As attackers realize that “conservative” phishing campaigns are less attractive, they’re resorting to new creative phishing methods such as OAuth Consent Phishing attacks. Many security experts and even Microsoft itself continuously warn about this growing risk surface. In recent examples, such as the APT TA2552 campaign, the SANS Institute breach and other recent examples, attackers were able to leverage OAuth Consent Phishing to gain permissions, allowing them to create inbox forward rules, read and write both emails and calendar items of the employees of hundreds of organizations.

During the Solarwinds attack campaign, attackers targeted non-human identities as a prime target for unauthorized access and privilege escalation. Specifically, they manipulated OAuth certificates to maintain existing access or gain additional privileges such as email access since they identified that such OAuth apps are less monitored and accessing them can go “under the radar”. In addition, they breached Mimecast, a leading email security provider, to gain unauthorized access to Microsoft 365 tenants and sensitive emails of Mimecast customers.

How Can Valence Help Secure Your Microsoft 365?

Valence seamlessly integrates with your Microsoft 365 environment and helps you discover your SaaS mesh attack surface and manage the risks associated with it:

  • Discover all your third-party integrations that connect to Microsoft 365 such as OAuth tokens, Enterprise applications and self-registered applications
  • Analyze the scope of access and actual usage of SaaS-to-SaaS connections to remove over-privileged and inactive integrations
  • Uncover the third-party vendors that were granted access tokens to ensure alignment with vendor risk management and TPRM programs
  • Monitor API calls made by 3rd party apps to detect potential abuse, compromise or API takeover attacks against your critical data
  • Map all the direct and indirect data flows  configured in Microsoft Power Platform, through Microsoft Power Automate and Power Apps, that could potentially expose sensitive data and PII
  • Automate workflows to ensure effective remediation and communication with end users and business owners in the modern distributed IT environment

Request A Free SaaS-to-SaaS Third-Party Integration Risk Assessment for Microsoft 365

Free Assessment