Kaseya report flags guest accounts and MFA gaps in SMB SaaS environments

0

Kaseya says guest accounts and inconsistent multi-factor authentication (MFA) enforcement are expanding the attack surface for small and mid-sized businesses (SMBs) using SaaS platforms, according to data released in its 2026 SaaS Security Report.

The report analysed 27.6 billion SaaS security events across more than 50,000 SMB environments, including 5,400 managed service provider (MSP) partners and 6.2 million end-user accounts, Kaseya said. It found guest accounts represented 69% of monitored accounts—4.3 million guest accounts compared with 1.9 million licensed users.

Kaseya said attackers are increasingly targeting identities, OAuth integrations and collaboration workflows rather than traditional perimeter weaknesses, using automation to locate dormant guest accounts and exploit access pathways that appear legitimate inside organisations’ SaaS ecosystems.

“Today’s AI-emboldened threat actors see one interconnected attack environment, whereas most organisations defend their infrastructure in pieces,” said Jim Lippie, chief product officer at Kaseya. “The most resilient organisations will be those that embrace continuous monitoring, identity governance and automated response as foundational requirements.”

The report also points to OAuth integration “sprawl” linked to AI adoption, with third-party integrations using persistent tokens rather than credentials. Kaseya said non-human “service principal” logins accounted for 20% of critical security alerts.

On authentication controls, the report found 56% of end-user accounts lacked active MFA, while 27% of SMBs enforced organisation-wide MFA. It also said legacy measures such as geolocation blocking are being undermined as attackers route traffic through cloud hosts and VPNs.

Kaseya reported that outside North America, 44% of unauthorised logins originated from “trusted infrastructure and outsourced hubs”, listing India (14%), the Philippines (10%), Germany (7%), the UK (7%) and the Netherlands (6%).

The report also highlighted data exposure in productivity suites. In Microsoft 365 environments, Kaseya said 45% of shared files were sent outside the organisation.

Alert volume was another issue raised. Kaseya said 98.9% of monitored SaaS security events were classified as low severity, but organisations still faced more than 278 million medium- and critical-severity alerts requiring investigation.

In recommendations, Kaseya said SMBs should shift to “identity-first governance” and automated behavioural monitoring, and focus on enforcing MFA, auditing machine identities, reviewing external sharing permissions, and consolidating security tools to reduce visibility gaps.

You can read the full report here.

Share.