ID: SAT1014
- Discovery
There is generally evidence in a user’s mailbox when they are actively using a SaaS app. At a minimum, there is usually some form of welcome or verification email, if not usage notifications
Email is a prime source of discovery of other SaaS apps the target is using. If an adversary gains access to a mailbox, they may use this information to perform further attacks and move laterally to other SaaS apps the compromised user is accessing. Email is also a source of general knowledge an adversary can use to conduct further attacks against other users in the organization.