SaaSquatting

SaaSquatting (short for SaaS Squatting) is a cybersecurity threat where malicious actors register available account names, tenants, or subdomains on legitimate Software-as-a-Service (SaaS) platforms to impersonate a specific organization or brand.

Unlike traditional cybersquatting, which involves registering look-alike top-level domains (like g0ogle.com), SaaSquatting exploits the shared responsibility model of cloud services. Attackers claim namespaces on trusted platforms—such as Amazon Web Services (AWS), GitHub, Salesforce, Slack, or Atlassian—that the target company has either failed to claim, abandoned, or neglected to monitor. This allows the attacker to leverage the reputation and technical authority of the reputable SaaS vendor to launch attacks.

How SaaSquatting Works

The attack relies on the "First-Come, First-Served" nature of cloud resource provisioning. When organizations use public cloud services, they often receive a unique subdomain (e.g., companyname.saas-vendor.com).

• Enumeration: Attackers scan for potential naming conventions used by a target organization (e.g., target-dev, target-hr, target-support).

• Registration: The attacker checks whether these names are available on major platforms such as Heroku, S3, or Zendesk. If they are, the attacker registers them instantly.

• Weaponization: Once the attacker owns target-support.zendesk.com, they can customize the environment to look exactly like the victim’s legitimate portal, hosting phishing pages or malware on a URL that carries a valid SSL certificate from a trusted vendor.

Primary Risks of SaaSquatting

SaaSquatting poses unique challenges because security filters often whitelist traffic from major SaaS providers.

Social Engineering and Phishing Because the URL contains the legitimate vendor's domain (e.g., servicenow.com or microsoft.com), employees and customers are conditioned to trust it. Phishing links hosted on these squatted tenants often bypass email security gateways that rely on domain reputation scores.

Brand Reputation Damage If an attacker registers company-refunds.zendesk.com and uses it to scam customers, the public perception is that the company itself—or its support helpdesk—has been compromised.

Subdomain Takeover and Dangling DNS SaaSquatting often overlaps with Subdomain Takeover. If an organization has a DNS record (like help.company.com) pointing to a SaaS resource they cancelled (like company.service.com), an attacker can "squat" on that abandoned company.service.com namespace. This allows them to take full control of the organization's branded subdomain (help.company.com), effectively hijacking legitimate web traffic.

Cookie Tossing and Session Hijacking In some configurations, SaaS platforms allow subdomains to read or write cookies for the parent domain. If an attacker controls a squatted subdomain, they may be able to "toss" malicious cookies into the victim’s browser or intercept session tokens, compromising legitimate user sessions.

Common Targets for SaaSquatting

Any platform that allows users to choose a custom identifier that becomes part of the URL is vulnerable. Common targets include:

• Cloud Storage: AWS S3 buckets, Azure Blob Storage.

• Code Repositories: GitHub, GitLab, Bitbucket namespaces.

• Collaboration Tools: Slack workspaces, Atlassian (Jira/Confluence) instances.

• Customer Support: Zendesk, Freshdesk, Salesforce help portals.

• Content Delivery: Heroku apps, Netlify, Vercel subdomains.

Preventing SaaSquatting

Organizations must move from a reactive to a defensive posture regarding their digital namespace.

• Defensive Registration: Proactively register your brand name and common variations (dev, qa, test, support) across critical SaaS platforms, even if you do not intend to use them immediately. This is known as "parking" the namespace.

• DNS Hygiene: Regularly audit DNS records (CNAMEs) to identify "dangling" entries that point to third-party services you no longer use. Remove these records immediately to prevent takeover.

• Namespace Monitoring: Use brand protection tools to monitor for new registrations of your brand name across the SaaS ecosystem, not just on domain registrars.

Frequently Asked Questions

Is SaaSquatting illegal? While the act of registering an available name is not inherently illegal, using that name to impersonate a brand, conduct fraud, or infringe on trademarks is illegal under laws like the Anticybersquatting Consumer Protection Act (ACPA) in the US.

How is SaaSquatting different from Typosquatting? Typosquatting involves registering a misspelled version of a root domain (e.g., amaz0n.com). SaaSquatting involves registering a correct brand name on a third-party service (e.g., amazon.github.io).

Can firewalls block SaaSquatted sites? It is difficult. Blocking the root domain (like amazonaws.com) would break legitimate business functions. Security teams must rely on URL inspection and behavioral analysis rather than simple domain blocking.

ThreatNG and Defense Against SaaSquatting

ThreatNG combats SaaSquatting by acting as an external surveillance system that proactively monitors the digital namespace for unauthorized use of an organization's brand across cloud and SaaS ecosystems. While traditional security tools focus on securing owned assets, ThreatNG looks outward to identify where attackers have "parked" or "squatted" on legitimate third-party infrastructure to impersonate the business.

By detecting these fraudulent tenants—whether on GitHub, AWS S3, or Salesforce—ThreatNG prevents attackers from leveraging trusted vendor reputations to launch phishing attacks or host malware.

External Discovery: Identifying Rogue Tenants

Defense against SaaSquatting begins with visibility. ThreatNG’s External Discovery engine uses advanced permutation scanning and keyword matching to locate brand presence across the internet, including within the namespaces of major SaaS providers.

• SaaS Tenant Discovery: ThreatNG scans the subdomains of popular SaaS platforms (e.g., *.herokuapp.com, *.github.io, *.zendesk.com) for keywords associated with the organization. It identifies if an attacker has registered a deceptive name like yourcompany-support.zendesk.com.

• Cloud Bucket Enumeration: Attackers often squat on S3 bucket names to trick employees or customers into uploading data to the wrong location. ThreatNG discovers these Exposed Open Cloud Buckets by generating permutations of the company name (e.g., company-backup, company-finance) and checking if they exist and are accessible on public cloud infrastructure. This reveals the "SaaSquatted" storage assets before they can be weaponized.

External Assessment: Validating Ownership and Risk

Once a potential SaaSquatting incident is identified, ThreatNG’s Assessment Engine analyzes the asset to determine if it is a legitimate shadow IT resource or a malicious trap.

• Domain Intelligence and Ownership Verification: ThreatNG analyzes the registration data and infrastructure associated with the identified asset. If a discovered SaaS subdomain (e.g., portal-login.company.com hosted on a third-party service) points to an IP address or uses an SSL certificate that matches known corporate standards, it is flagged as safe. If it uses a free, automated certificate (like Let's Encrypt) and has no connection to the corporate registrar, ThreatNG flags it as a high-risk SaaSquatting attempt.

• Content Analysis (Technical Resources): The assessment engine scans the content hosted on the squatted tenant. If ThreatNG finds a login form or branding elements that mimic the organization’s official site hosted on a third-party URL (e.g., a fake login page on a generic Azure Blob URL), it confirms the asset is actively being used for credential harvesting.

Investigation Modules: Forensics of Impersonation

ThreatNG’s investigation modules allow security teams to gather the evidence needed to confirm malicious intent and attribute the attack.

• Investigating Code Repositories (SaaS Exposure): Attackers often squat on GitHub or GitLab namespaces to distribute malicious code disguised as official SDKs. ThreatNG’s Cloud and SaaS Exposure module investigates these repositories. Analysts can examine the "committers" and code content to verify that github.com/yourcompany-sdk is a fake account controlled by an imposter, not the official engineering team.

• Archived Web Page Investigation: Attackers often spin up squatted sites for short campaigns. If a suspicious SaaS URL is currently offline, analysts use the Archived Web Page module to view historical snapshots. This allows them to determine whether the site previously hosted a phishing page, providing evidence to blacklist the URL even after the attacker has taken it down.

Continuous Monitoring: The Brand Radar

SaaSquatting is a race; attackers try to register names as soon as a new product or service is announced. ThreatNG’s Continuous Monitoring ensures the organization wins this race.

• New Registration Alerting: ThreatNG continuously monitors the namespaces of critical SaaS providers. If a new subdomain containing the organization’s trademark appears (e.g., company-vpn.okta-preview.com), ThreatNG triggers an immediate alert. This allows the security team to investigate the registration in real time, potentially blocking access to the site before any employee is phished.

Intelligence Repositories: Threat Context

ThreatNG’s Intelligence Repositories provide the context to understand the squatter's intent.

• Campaign Correlation: The repository correlates squatted infrastructure with known threat-actor tactics. If the squatted domain follows a naming convention used by a specific ransomware group (e.g., containing "support" or "refund" keywords), ThreatNG identifies the likely adversary, helping the team prepare for the social engineering attack that typically follows the squatting event.

Reporting: Evidence for Takedowns

ThreatNG’s Reporting capabilities streamline the remediation process, which often involves legal action or vendor abuse reports.

• Abuse Notification Reports: ThreatNG generates reports detailing the fraudulent asset, including screenshots, DNS records, and SSL certificate details. These reports serve as the "Evidence Package" required by SaaS providers (like Amazon or Microsoft) to process a takedown request and suspend the attacker's account.

Complementary Solutions

ThreatNG works cooperatively with the broader security ecosystem to detect, block, and remove SaaSquatted assets.

Brand Protection and Takedown Services ThreatNG acts as the detection engine.

• Cooperation: While ThreatNG identifies squatted sites, Brand Protection services specialize in their legal removal. ThreatNG provides these partners with the list of confirmed SaaSquatted URLs, automating the initiation of legal takedowns and Cease & Desist orders.

Secure Web Gateways (SWG) and DNS Firewalls ThreatNG provides the blocklist.

• Cooperation: ThreatNG identifies the malicious SaaS URL (e.g., malicious-tenant.sharepoint.com). It feeds this URL to the organization’s SWG or DNS Firewall. This ensures that even if an employee receives a phishing email linking to the squatted site, the corporate network will block the connection, neutralizing the threat.

Email Security Gateways (SEG) ThreatNG enhances phishing detection.

• Cooperation: Attackers use SaaSquatted domains to bypass email filters because the root domain (e.g., salesforce.com) has a high reputation. ThreatNG feeds the SEG a list of specific subdomains and tenants that are known to be malicious squatters. This allows the email gateway to block emails originating from or linking to those specific fraudulent tenants while still allowing legitimate traffic from the SaaS provider.

Cloud Access Security Brokers (CASB) ThreatNG identifies shadow tenants.

• Cooperation: CASBs control access to cloud applications. ThreatNG informs the CASB about unauthorized tenants. If ThreatNG detects a squatted Microsoft 365 tenant mimicking the company, the CASB can be configured to block any login attempts or data uploads to that specific Tenant ID, preventing data exfiltration to the attacker’s environment.

Frequently Asked Questions

How does ThreatNG find SaaSquatting if it doesn't have the attacker's password? ThreatNG uses Open Source Intelligence (OSINT) techniques. It scans public certificate transparency logs, DNS records, and search engine results for permutations of the brand name hosted on third-party provider domains.

Can ThreatNG stop someone from registering the name? No tool can physically prevent a registration on a third-party site. However, ThreatNG’s Continuous Monitoring detects the registration immediately, allowing the organization to block it and request a takedown before it causes damage.

Does this help with "Typosquatting" as well? Yes. The same External Discovery and permutation engines that find SaaSquatting (e.g., company-name.saas.com) also identify Typosquatting (e.g., compaany-name.com), providing comprehensive brand defense.