Introduction
In today’s digital workspace, SaaS applications like Slack, Google Drive, and Microsoft Teams have become the backbone of business communication and collaboration. These platforms are often filled with sensitive documents, critical data, and intellectual property—making them an attractive target for malicious actors. Yet, many organizations operate under the assumption that if permissions are properly configured and external access is restricted, their data is safe. But is this mindset dangerously outdated? Can strong access controls alone prevent insider threats or mitigate the risks of corporate espionage?
The recent incident involving Rippling and Deel challenges this perception. In November 2024, Rippling alleged that a user within their organization engaged in suspicious activity, frequently searching for and accessing sensitive files within their Slack environment. Rippling claims this activity was part of a corporate espionage effort orchestrated by Deel, leading to a high-stakes legal battle.
This incident underscores the growing threat posed by insiders—whether acting maliciously or negligently—and highlights the vulnerabilities that come with relying heavily on productivity SaaS platforms. In this article, we’ll explore the security implications of such platforms, analyze the gaps that allowed this incident to occur, and offer actionable strategies to help organizations safeguard their sensitive information.
Understanding the Rippling Incident
In November 2024, Rippling found itself at the center of a high-profile corporate espionage case. The company alleged that an employee, whose employment started a year previously, had engaged in suspicious activity, targeting sensitive information stored within its Slack environment. According to the claims, the user repeatedly searched and accessed critical internal documents multiple times a day, causing the security team to be alerted.
In the early part of November, Rippling’s security monitoring systems identified unusual search patterns in their internal Slack Workspace. The user in question, who has not been identified publicly, appeared to be conducting regular searches for highly sensitive files, that included proprietary and client information. Once identified, internal investigations were conducted into the behavior and actions for the user. The pattern of behavior identified by the internal teams suggested that there was an ulterior motive for the activity than the normal actions that were required by the user's role. The pattern of searches was described as methodical and focused, with particular attention given to the files that could be leveraged for competitive gain.
With this information in hand, Rippling escalated their concerns, leading to a forensic analysis that suggested that there had been an exfiltration of data. Following the discovery of these actions, Rippling began legal proceedings against Deel, who are a direct competitor. The allegation is of corporate espionage campaign by leveraging the insider to gather sensitive information.
This incident highlights a growing security concern: the risk of insider threats within SaaS environments, especially ones that could hold an array of information. As organizations increasingly rely on SaaS platforms for easier collaboration, they may unknowingly expose themselves to significant data security risks.
Productivity SaaS Applications and Associated Risk
SaaS platforms (such as SharePoint, Slack, Google Drive, Dropbox, etc.) function as central hubs that have transformed the way businesses collaborate, making it easier than ever to share ideas, documents and sensitive information. However, this convenience comes at a cost: these platforms also introduce new layers of security risk that many organizations underestimate.
Whilst centralization improves accessibility and collaboration, it also creates a single point of failure. If an attacker, internal or external, manages to gain access to these platforms, they can potentially access a treasure trove of sensitive information. Once inside, the attackers often leverage legitimate user credentials to move laterally within the systems, making it difficult to identify the activity as malicious.
Organizations often assume that setting strict permissions and limiting external access is enough to safeguard sensitive data. But this mindset is outdated and dangerous. Permissions alone can’t stop authorized users from misusing access—and excessive permissions, granted for convenience, often leave critical information wide open. In the Rippling case, access controls were in place, yet the insider still managed to search for and retrieve sensitive data undetected.
External attacks leave telltale signs—failed logins, suspicious IPs, or brute-force attempts. Insiders? They operate from within, making them inherently harder to detect. Authorized users can comb through sensitive data without raising alarms unless granular controls or DLP (Data Loss Prevention) measures are in place. Worse, most SaaS platforms lack the real-time anomaly detection needed to flag abnormal user behavior as it happens.
Audit logs capture surface-level events like file access or login timestamps, but they lack context. They can’t tell if a legitimate search is part of normal operations—or a prelude to data theft. Without granular insights into how users interact with sensitive information, incident response becomes reactive and slow—often catching threats only after the damage is done.
These vulnerabilities in the basic functionality of SaaS platforms creates a perfect storm for insider threats, where overly permissive access, lack of real-time monitoring, and poor behavioral analysis combine to leave organizations exposed. Without a proactive solution that allows a single pane of glass for activities and behavioral analysis, organizations could leave themselves vulnerable to both accidental and deliberate data exposure.
Hunting Sharks
To mitigate the risks that have been presented above, security teams need the tools to be able to run proactive threat hunts to catch threats in the act. Since insiders are accessing applications with legitimate access, it is difficult to identify them outright. It is recommended to identify those situations before they occur.
Detect Excessive Activity Within Slack
One of the more obvious situations that can be hunted for is looking for mass data downloads for users who are known to be leaving the organization. Below is a code snippet that could help identify anomalous activity in Slack.
def detect_excessive_activity(logs, action_type='file_search', threshold=10):
action_logs = logs[logs['action'] == action_type]
# Group by day and count actions
action_counts = action_logs.groupby(action_logs['date_time'].dt.date).size()
# Flag days with excessive activity
high_activity_days = action_counts[action_counts > threshold]
if not high_activity_days.empty:
print(f"⚠️ Detected {len(high_activity_days)} days with excessive '{action_type}' activity.") print(high_activity_days)
else:
print(f"✅ No unusual '{action_type}' activity detected.")
This code snippet will check for file searches per day above the pre-established threshold. The threshold can be adjusted to the needs and activity within your organization. Whilst this is generalized, it could be used as a method to focus in on certain days that could contain similar activity that we see in this blog.
Mass Downloads from SharePoint by a Single User
SharePoint is one of the most used storage SaaS platforms that comes as a package with Office 365 and Microsoft Teams. One aspect of the anomalous activity that attackers may conduct will be to exfiltrate large amounts of data, the following code snippet will detect a large download and the user behind the action.
def detect_mass_downloads(logs, threshold=50):
downloads_per_user = logs.groupby('user').size()
suspicious_users = downloads_per_user[downloads_per_user > threshold]
if not suspicious_users.empty:
print("⚠️ Mass file downloads detected by the following users:")
print(suspicious_users)
else:
print("✅ No unusual file download activity detected.")
# Run download detection
detect_mass_downloads(file_logs, threshold=50)
Off Hours Access for Users (SharePoint)
Legitimate users rarely access sensitive documents at 3 AM. Attackers are not known for sticking to the 9 to 5 Dolly Parton suggestion, meaning that if they are accessing files at strange times that does not comply with their normal behavior, this could be an indicator of malicious activity. This code identifies file access that occurs outside normal business hours, a common indicator of insider malfeasance:
def detect_off_hours_access(logs, start_hour=9, end_hour=18):
logs['hour'] = logs['modified_time'].dt.hour
off_hours_logs = logs[(logs['hour'] < start_hour) | (logs['hour'] > end_hour)]
if not off_hours_logs.empty:
print("⚠️ Suspicious file access outside business hours detected:")
print(off_hours_logs[['user', 'file_name', 'modified_time']])
else:
print("✅ No off-hours file access detected.")
# Run off-hours access check
detect_off_hours_access(file_logs, start_hour=9, end_hour=18)
Searching for Sensitive Keywords (SharePoint)
In addition, we have seen throughout this case and blog that attackers will often recon an environment first, sometimes for months to see if they can identify sensitive files to exfiltrate or otherwise gain access to. The following code snippet can identify if users have frequently surpassed the threshold for searches containing sensitive keywords. These key words should be edited for your own needs and usages.
def detect_keyword_searches(logs, keywords, threshold=5):
search_logs = logs[logs['file_name'].str.contains('|'.join(keywords), case=False, na=False)]
# Group by user and count occurrences
keyword_searches = search_logs.groupby('user').size()
suspicious_users = keyword_searches[keyword_searches > threshold]
if not suspicious_users.empty:
print("⚠️ Users searching for sensitive files excessively:")
print(suspicious_users)
else:
print("✅ No suspicious keyword search activity found.")
# Define sensitive keywords to monitor
sensitive_keywords = ['confidential', 'financials', 'acquisition', 'salary']
# Run keyword search detection
detect_keyword_searches(file_logs, sensitive_keywords, threshold=5)
Detect Mass Report Export in Salesforce
Finally, Salesforce has been directly affected by attacks against the SaaS platform, so it would not be strange for the attackers to attempt to use the tactics mentioned in this blog. The following code snippets will identify if a user is excessively exporting data from your salesforce environment, however, these should be compared to normal activity from the users.
def detect_mass_downloads(logs, threshold=50):
downloads_per_user = logs.groupby('user').size()
suspicious_users = downloads_per_user[downloads_per_user > threshold]
if not suspicious_users.empty:
print("⚠️ Mass file downloads detected by the following users:")
print(suspicious_users)
else:
print("✅ No unusual file download activity detected.")
Conclusion
Saas platforms like Slack, SharePoint, and Salesforce have revolutionized business collaboration, but they have also opened the door to new types of attacks that traditional defenses overlook. Insider threats (whether malicious or accidental) pose a unique challenge because they operate with legitimate access, blending seamlessly into normal activity.
Without proactive monitoring and behavioral analysis, organizations risk missing these subtle indicators – allowing threats to escalate undetected. Integrating these detection techniques into a single-pan-of-glass monitoring system ensures that security teams can respond before data is compromised.
SaaS security is not just about setting permissions and hoping for the best – it’s about proactively hunting for threats within the ecosystem. Organizations that priorities continuous monitoring, real-time anomaly detection and contextual analysis will not only mitigate insider risks but also gain the upper hand in defending the most valuable assets.
