The UK mid-market has, broadly, made significant cybersecurity progress over the last five years. Most firms in the 250-to-2,000-employee range now have endpoint protection, MFA on critical applications, regular vulnerability scanning, and at least informal incident response playbooks. The cyber insurance market — which underwrites most of these firms — has driven baseline maturity that did not exist a decade ago.
What insurance has not driven, and what most internal IT teams in this segment do not have visibility into, is the SaaS attack surface that exists outside the IT-managed perimeter. The risk that this represents is no longer theoretical. We see it manifest in client engagements regularly enough to be confident it is mainstream rather than edge-case.
How shadow SaaS gets into your business
The growth of consumer-grade SaaS purchasing — short signup flows, monthly billing on credit cards, instant deployment — has made it trivially easy for any employee to introduce new tooling into the business. A marketing manager signs up for a content optimisation platform. An HR coordinator subscribes to a candidate scheduling service. A sales operations analyst adopts a CRM analytics overlay. None of these go through IT procurement. None require security review. All of them have full or partial access to corporate data the moment they are connected.
The integration mechanics are what make this consequential. Modern SaaS applications integrate with each other through OAuth — a workflow where the user, by clicking “Allow”, grants the new application access to their existing accounts (their email, their calendar, their CRM, their files). The grant is per-user but often organisation-wide in effect — once the OAuth scope includes mailbox access, the new application can read every email the user can read, including emails containing customer data, financial information, or contractual content.
Most users do not read OAuth permission requests. The grant happens in seconds. The new application now holds a token that allows persistent access to corporate data, indefinitely, with no further user interaction.
In a mid-market firm with 800 employees, we have routinely found 200 to 500 such integrations active in Microsoft 365 alone, of which the IT team was aware of fewer than 30.
The breach pattern
The attack chain that makes this consequential is not novel. Adversaries identify SaaS providers that are likely to be integrated with their target organisations. They compromise the SaaS provider — often through credential stuffing against the provider’s own authentication, often through a vulnerability in the provider’s stack, occasionally through the provider’s own internal security failures. They then use the OAuth tokens the SaaS holds to access the SaaS provider’s customers’ data — including the customer’s mailboxes, files, and integrated services.
The customer typically does not know they are exposed. The SaaS breach is not their breach, and the breach notification regulations only sometimes capture it. The customer’s data is exfiltrated through a path that does not appear in the customer’s logs, because the access is via legitimate OAuth tokens to legitimate APIs.
We have advised on three engagements in the last six months where this was the attack path. In each case, the affected mid-market firm did not initially understand how customer data had been accessed. In each case, the SaaS provider’s own breach disclosure was several weeks behind the actual exfiltration.
What is actually visible — and what isn’t
Microsoft 365 environments expose enterprise application consents through the Entra ID admin centre. Most IT teams in the mid-market do not regularly review this surface. When they do — as part of an audit, or after an incident — they routinely find OAuth grants from former employees, applications that have not been used in months, and integrations to providers the IT team cannot identify.
Google Workspace environments expose similar visibility, with comparable patterns of underuse.
What is harder to surface is the SaaS that is not OAuth-integrated — the standalone applications that hold corporate data without integrating with the identity provider. These appear in expense reports, credit card statements, and email confirmations, but rarely in any centralised inventory. The most thorough way to surface them is to cross-reference card spending against the IT-managed application portfolio. Most mid-market firms do not have the operational discipline to run this exercise.
Practical remediation
The most immediate step is the OAuth review: pull the list of consented enterprise applications from the identity provider, classify them by use and risk, and revoke the ones that are unused, unowned, or unjustified. This is a half-day exercise in most environments and produces immediately useful results.
The second step is to constrain future grants. Microsoft 365 and Google Workspace both support admin consent workflows that prevent users from granting OAuth access to new applications without IT review. Enabling this is a configuration change that takes minutes. Most firms have not made it because the default — user self-service — is more convenient.
The third step is ongoing — instrumenting visibility into the SaaS surface so that new applications are surfaced as they appear, rather than discovered during the next breach response. This usually requires either a CASB-class capability or a SaaS security posture management (SSPM) tool. The mid-market segment has, until recently, been underserved by these categories; the tooling is now available at price points that make sense for firms of this size.
What to do this week
If you have not reviewed your enterprise OAuth grants in the last 90 days, that is the action. The output will be uncomfortable. It will also be the most valuable security action your team takes this month.
The shadow SaaS attack surface is the gap that mid-market enterprises have systematically failed to close. Closing it is straightforward. The first step is admitting it exists.
Mellivor works with UK mid-market enterprises on SaaS security posture, identity governance, and external attack surface visibility. To discuss your SaaS exposure, contact our advisory team.
