What GTG-1002 and Claude-Style Attacks Mean for SaaS Verification

In November 2025, Anthropic revealed a cyber espionage campaign dubbed GTG-1002, the first documented case of an AI agent orchestrating real-world intrusions with minimal human input. A Chinese state-sponsored group manipulated Anthropic's Claude Code assistant into executing about 80% of a multi-target hacking campaign autonomously.

Instead of merely advising cybercriminals, the AI took control of key steps: reconnaissance, vulnerability discovery, exploitation, credential theft, and data exfiltration across dozens of organizations. The result was an operation running at machine tempo. Claude performed tasks in a fraction of the time a human team would need, even identifying sensitive databases and writing exploits in seconds.

Figure 1: The distinct phases of the Claude cyberattack

At the peak of the attack, the AI made thousands of requests (often several per second), an onslaught of activity impossible for humans to match. This speed and scale of automation is a game changer: attacker workflows can now iterate continuously with little friction, launching and expanding intrusions faster than cybersecurity experts can react in traditional ways.

Static OAuth Trust vs. Machine-Speed Attackers

The implications of AI-powered, machine-speed attacks are especially worrying in the context of SaaS security. Most organizations heavily rely on SaaS platforms connected by OAuth integrations and API keys, essentially trust tokens that grant apps and scripts delegated access to data.

The problem is that this trust is largely static and human-paced, whereas AI-augmented attackers operate dynamically and quickly. Once a user or admin clicks "Approve" on an OAuth consent screen for a third-party app, for example, that app gets a token with certain scopes (permissions). Those decisions are typically made once and then set-and-forget, rarely revisited or scrutinized afterward.

Over time, dozens or hundreds of apps accumulate broad permissions. Employees often grant expansive scopes that go beyond what the app truly needs (sometimes at the app's request), and those access tokens remain valid indefinitely if not manually revoked. In many organizations, no one owns or routinely reviews these non-human identities to check if they're still needed or behaving appropriately.

Long-lived tokens are a particular concern. OAuth access tokens (and their refresh tokens) can persist for months or years without rotation, and they usually aren't bound to a device or network, meaning they can be used from anywhere once obtained. This persistent trust lets integrated apps continue operating with minimal scrutiny, bypassing traditional login security mechanisms.

This creates an asymmetry when facing AI threats. An attacker who compromises a long-lived token or a connected app can leverage that static trust faster than a human team can notice or respond. When threat actors can move at machine speed and stay under the radar of infrequent manual checks, a one-time approval model becomes a serious liability.

From Periodic Checks to Continuous Verification

To defend SaaS against AI threats, security teams are pivoting from periodic, manual audits to proactive, automated verification of apps and identities. This echoes the philosophy of zero trust: never trust, always verify (and re-verify). In practice, that means treating third-party SaaS tokens and integrations more like we treat privileged user accounts, with strict governance, least privilege principles, and ongoing monitoring.

Several emerging best practices aim to bring SaaS trust up to speed. One is enforcing short-lived tokens and frequent rotation, so credentials don't linger open for attackers to reuse. Another is implementing fine-grained scopes and requiring apps to re-request access if they need new permissions, making any scope change a deliberate event that can be reviewed.

Organizations are also starting to implement dynamic SaaS security solutions that monitor the behavior of connected apps and service accounts. By baselining normal activity and watching for anomalies, any misuse of a token can be detected in real time. If an OAuth integration suddenly starts pulling vastly more data than usual or at odd hours, for instance, that should raise an instant flag. In essence, the goal is to catch when trusted non-human identities act untrustworthy.

What to Watch For in SaaS Environments

Here are four useful indicators and events that security teams should be actively watching for in their SaaS environments (with automated alerts wherever possible):

Sudden Scope or Permission Changes

Pay attention to any third-party app that requests new scopes or expanded permissions, especially if this happens outside of standard change management. Any app whose granted scopes increase unexpectedly - say, a read-only integration now asking for write or admin privileges, should be treated with suspicion. Regular reviews can also catch when an app's originally needed access has quietly broadened over time. The moment a connected app's access changes, it warrants immediate verification of who approved it and why.

Risky or Unvetted Connected Apps

Not all OAuth apps are equal; some are far more dangerous than others. Security teams should identify and scrutinize risky apps in their environment. Signs of a risky app include those with very broad or high-impact permissions (e.g., full access to email or drive data), apps from unverified or unknown publishers, or those authorized by only a handful of users in the company (especially if one of those users is a privileged account). An app whose purpose doesn't seem to match the permissions it's asking for is a huge warning sign. Imagine a calendar scheduling app requesting the ability to read all your emails. Such anomalies in app profiles should be detected and either blocked or closely monitored.

Abnormal OAuth Usage Patterns

Monitor for OAuth tokens or app integrations being used in unusual ways. This includes surges in data access volume, access occurring at odd times or from atypical locations, or an app suddenly querying data it normally wouldn't. For example, a benign chatbot app performing a bulk export of CRM data at 1 AM is a red flag. Such anomalies could mean an attacker is leveraging a stolen token or that the app itself has been compromised to exfiltrate data under the guise of normal access.

Unusual Data Access or Actions

Beyond just volumes of access, look at what a user or app is doing with its SaaS access. Indicators of compromise include mass downloading of files or records, large-scale data deletions or transfers, or querying data that is sensitive or outside of an account's normal scope. If a low-level employee's API key starts retrieving all customer records, or a third-party sales plug-in begins modifying user permissions, those are highly unusual actions that likely point to malicious use. Treat any such event as a potential incident. It could be an attacker using stolen credentials or an internal user abusing their access. Behavioral context is what separates a legitimate integration from an exploited one.

Conclusion: Trust, But Proactively Verify

GTG-1002 showed the world that cyberattacks can now unfold at a scale that breaks traditional defenses. Because of this, we need living, breathing insight into what our apps, tokens, and identities are doing at all times.

Every access should be dynamically evaluated against expected behavior: "Is this normal for this app? Is this action safe for this user?" Only by asking these questions incessantly, and arming ourselves with tools that can answer them in real time, can we hope to catch a machine-powered attack before it's too late.

This is also where dynamic SaaS security platforms like Reco come into play. Reco's solution is built around automated verification of SaaS identities, tokens, and integrations, effectively closing the loop that traditional controls leave open. It uses an AI-powered graph to map relationships between users, apps, and data, and constantly compares an entity's granted privileges to its observed behavior.

Figure 2: Reco's generative AI application discovery

When an app or account starts doing something it shouldn't, like downloading abnormal amounts of data, connecting to a new service, or misusing a permission, Reco flags it in real time. Instead of persistent blind trust, you get adaptive trust: if something drifts out of line, you know about it immediately. This oversight is how we bring the "verify" back into "trust but verify" on a continuous basis.

It's time to evolve our SaaS security from static to dynamic, so that even as attackers accelerate, our defenses are always one step (or one CPU cycle) ahead.

Request a Demo: Get Started With Reco.

About the Author: Ophir Kelman is the Head of Threat Detection at Reco, where he specializes in detection engineering, threat hunting, and threat detection strategies. Previously, he served as a Group Leader in the Cyber Center of Israel's elite Unit 8200, leading research and development teams across multiple cybersecurity domains. With deep expertise in identifying and neutralizing sophisticated threats, he is passionate about advancing the field of security detection and building resilient defense systems.