VYPR
advisoryPublished Jul 6, 2026· 1 source

SaaS Security Report Reveals Pervasive Risks from Unmanaged Guest Accounts and Weak MFA

Kaseya's 2026 SaaS Security Report highlights significant risks from unmanaged guest accounts, weak MFA, and insecure OAuth implementations in SaaS environments.

Organizations are increasingly relying on Software-as-a-Service (SaaS) platforms for critical business operations, but a new report from Kaseya reveals a landscape fraught with significant security vulnerabilities. The 2026 SaaS Security Report: Closing the Unmanaged Trust Gap, highlights that unmanaged guest accounts have ballooned to comprise 69% of monitored SaaS accounts in 2025, outnumbering licensed users by more than two to one. These accounts, often created for temporary access for contractors, suppliers, and partners, frequently remain active long after their necessity has passed, creating overlooked and potentially privileged access paths for cybercriminals.

These dormant guest accounts present a substantial expansion of the attack surface. Attackers can exploit them through credential stuffing, password spraying, and other common techniques. The report emphasizes that AI-assisted enumeration tools are making these attacks more efficient, allowing threat actors to quickly identify active guest accounts, probe for weaknesses, and gain entry through these neglected digital doorways. The implications are severe, as these guest accounts often carry the same permissions as internal employees, including privileged access, making them prime targets for compromise.

Adding to the risk, the widespread adoption of OAuth integrations for AI assistants, automation tools, and collaboration platforms further broadens the attack surface. These integrations allow third-party applications to access sensitive business data, including emails, cloud storage, and messaging platforms, by leveraging existing work account credentials. While convenient, these OAuth connections grant broad permissions that can persist even after a user changes their password or the initial integration is no longer needed. If a connected application is malicious or compromised, attackers can maintain persistent access through OAuth tokens without ever needing to steal user credentials, making detection exceedingly difficult.

Compounding these issues is the persistent problem of weak multi-factor authentication (MFA) adoption. The report found that 56% of monitored end-user accounts had MFA disabled or inactive, and a mere 27% of organizations enforced MFA policies across their SaaS environments. Accounts protected solely by passwords remain highly vulnerable to phishing, credential theft, and password reuse attacks. Once compromised, these accounts allow attackers to operate as legitimate users within SaaS applications, significantly increasing the risk of business email compromise, fraud, and unauthorized access to sensitive data.

External file sharing, while essential for collaboration, also contributes to persistent data exposure. Cloud platforms and AI assistants facilitate easy sharing of files across organizational boundaries, but this often leads to sensitive business information remaining accessible due to outdated permissions, unmanaged guest accounts, or orphaned sharing links. These links, frequently created for temporary projects, can remain active indefinitely, allowing former contractors, partners, or anyone with the original URL to retain access to confidential data long after collaboration has ended.

The report also points to the challenge of trusted infrastructure undermining login detection. The rise of remote work, outsourcing, and global collaboration means legitimate logins can originate from a wide range of locations and IP addresses, including VPNs, proxy networks, and cloud infrastructure. This makes it difficult for security controls to distinguish between normal business activity and malicious logins originating from compromised accounts or threat actors attempting to blend in.

Finally, the sheer volume of security alerts generated by SaaS environments overwhelms many security teams. The report noted nearly 279 million medium- and critical-severity alerts in 2025 alone. Service principal logins, used by applications and automation tools, have become a common source of critical alerts. If compromised, these non-human identities can provide attackers with persistent, hard-to-detect access. Jim Lippie, chief product officer at Kaseya, emphasized that "AI-emboldened threat actors see one interconnected attack environment, whereas most organizations defend their infrastructure in pieces." He concluded that "The most resilient organizations will be those that embrace continuous monitoring, identity governance and automated response as foundational requirements."

Synthesized by Vypr AI