ID: SAT1007
- Initial Access
An adversary may attempt to authenticate to a SaaS account by guessing a large number of passwords. However, many apps limit the rate or number of passwords that can be guessed. If you assume a user shares passwords between SaaS apps, the set of passwords to be guessed can be split between all the apps the user has accounts for, circumventing the rate-limits on any one SaaS app.
This can be particularly effective against heavy SaaS users as it allows an adversary to spread the attack across a large number of SaaS apps.