In this episode of ThreatCast, hosted by Ru Campbell, Microsoft MVP and Microsoft Practice Lead at Threatscape, we’re joined by Keith Fleming, Principal Product Manager at Microsoft, to explore the evolving world of SaaS and app-to-app security. With Microsoft Defender for Cloud Apps as the anchor, this conversation reveals the unseen threats and the proactive measures IT teams can adopt to secure their environments from silent but dangerous breaches.
When Apps Attack: A New Threat Model for SaaS
What happens when there’s no malware, no user clicks a dodgy link, and yet your data still walks out the door? The answer lies in a growing risk vector: non-human identities and app-to-app communication.
As Keith explains, today’s threat landscape includes apps that are granted legitimate permissions—either by end users through OAuth consent phishing or by IT admins who unknowingly over-provision access. These apps, once authorised, can operate with alarming freedom, reading or modifying mailboxes, altering configurations, or exfiltrating data. This isn’t hypothetical; it’s actively happening.
“Attackers don’t break in anymore,” Keith warns, “they log in.”
Understanding Non-Human Identities and Overprivileged Apps
In Azure and Microsoft Entra, these non-human identities—such as service principals—act autonomously. When permissions are overly broad or unused secrets remain active, attackers can exploit these vulnerabilities without ever triggering endpoint defences.
Microsoft Defender for Cloud Apps helps surface these hidden risks through capabilities like:
App governance: Evaluates what permissions are granted, how they’re used, and flags overprivileged or dormant apps.
Connected apps: Offers visibility and signal enrichment from platforms like Microsoft 365, Google Workspace, and Salesforce.
Unified auditing and detection: Brings SaaS telemetry into Microsoft XDR for centralised monitoring and correlation.
From Visibility to Action: Governance, Detection, and Disruption
Visibility is only half the battle. Keith dives deep into the layered protections available:
Custom policies: Organisations can define specific threat conditions and automate actions, including disabling risky apps.
Built-in threat detection: Microsoft researchers feed real-world insights into out-of-the-box alerts for behaviours like inbox rule manipulation or legacy API abuse.
Automated attack disruption: When Defender has high confidence in a threat, it can pause malicious activity by disabling apps in real time, reducing impact and buying investigation time.
These features are designed not just for response, but to pre-emptively mitigate threats before data is lost.
Beyond Microsoft: Coverage Across SaaS Ecosystems
Ru and Keith explore how Defender for Cloud Apps isn’t limited to Microsoft’s ecosystem. Through app connectors, organisations gain posture management and threat detection for third-party platforms. Whether it’s DocuSign, ServiceNow, or Google Workspace, security signals are normalised and enriched, offering a comprehensive SaaS security posture.
Moreover, these signals can be ingested directly into SIEM tools like Microsoft Sentinel, providing flexibility for organisations at different stages of maturity.
The Power of Prioritisation with Exposure Management
Security teams today are stretched thin, and prioritisation is everything. Keith highlights how Microsoft Security Exposure Management integrates with Defender for Cloud Apps, offering attack path visualisations and helping teams focus on the most critical threats.
This capability transforms overwhelming recommendation lists into actionable insights. Combined with the SaaS Security Initiative, it ensures that non-human identities and app-to-app risks are treated with the same rigour as traditional endpoint or identity security.
Keith is clear: if you already own Microsoft 365 E5 licences, enabling app governance and connecting your SaaS apps is a low-effort, high-impact step.
Security teams must begin treating non-human identities with the same scrutiny as service accounts in legacy Active Directory environments. Whether it’s stale permissions, leaked client secrets, or unmonitored app activity, the threats are real and growing.
"Connect the apps. Get the signals. Reduce your privileges. Start securing your SaaS landscape."
Keith Fleming