Weaponised OAuth apps allow persistent access to cloud accounts

Proofpoint researchers have identified an increase in the use of weaponised OAuth applications by threat actors aiming to prolong their access to cloud environments, even after typical security responses such as password resets or multifactor authentication are implemented.

Cloud account takeover attacks remain an area of significant concern.

Cybercriminals and state-sponsored groups have been observed utilising malicious OAuth applications to acquire and maintain persistent access to compromised environments. These tactics facilitate ongoing account hijacking, reconnaissance, data exfiltration, and further malicious activities, according to recent research from Proofpoint.

Once an attacker has secured entry to a cloud account, they have the capability to both create and authorise internal applications, often termed second-party applications, with customised scopes and permissions. This can supply persistent access to assets such as mailboxes and files, circumventing typical defence strategies like enforced password changes and MFA.

Proofpoint has developed a demonstration tool to automate the creation of malicious internal applications in a compromised cloud context, documenting how these tools can overcome prevalent cloud security controls. Their findings also include an analysis of a real-world incident enabled by this attack vector.

OAuth application distinction

In cloud environments such as Microsoft Entra ID, there is a critical distinction between second-party and third-party applications. Second-party applications are established within an organisation's tenant and are managed by administrators, generating an implicit level of trust. Third-party applications, in contrast, are registered externally and generally inspected more rigorously.

This internal trust is increasingly leveraged by attackers, who prefer the stealth and persistence of second-party app registrations over their third-party counterparts during exploitation. These second-party applications are typically harder to detect and more likely to bypass existing security controls.

Attack methodology

Initial rogue access to targeted cloud user accounts is typically achieved using reverse proxy toolkits and crafted phishing campaigns.

Attackers harvest credentials and session cookies, enabling them to register new internal applications using compromised privileges. By configuring specific permissions and API scopes-and then authorising these applications-attackers ensure that access to critical resources is retained even after security interventions such as password resets or MFA enforcement.

According to the Proofpoint researchers, the automation process is as follows: starting from a compromised user, the tool registers a new application with chosen permissions, usually making the compromised account its owner. This approach enables the malicious application to appear as a legitimate internal resource.

The tool generates cryptographic client secrets and collects OAuth token types, including access, refresh, and ID tokens. These measures create durable access for the threat actor. The research indicated that even after an incident response step such as a password reset, the malicious application's tokens and secrets continue to function, maintaining access to Microsoft 365 data such as emails, documents, Teams data, and calendar information.

The presence of such a rogue application is observable in the Microsoft Entra ID administration interface under 'App Registrations', where associated metadata, permissions, and authentication settings are displayed. Client secrets are commonly set with long expiry periods, sometimes up to two years, providing attackers significant undetected access until security teams intervene or the secret expires.

Real-world case analysis

The research details a real-world attack identified via Proofpoint telemetry, lasting four days.

The breach began with an Adversary-in-the-Middle phishing campaign, most likely using the Tycoon phishing kit. The attacker operated through US-based VPN endpoints, created custom mailbox rules, and registered an internal application labelled 'test', which included Mail.Read and offline_access permissions. The attacker maintained access to the mailbox, even after a password change, for four days. The persistence of the application following the enforced password change demonstrates the active exploitation of this vector.

Recommendations

Proofpoint researchers emphasise immediate remediation upon discovering a suspicious or confirmed malicious application, recommending the following:

Client Secret Revocation: Immediately invalidate all client secrets and remove existing certificates to terminate the application's ability to request new tokens.

User Token Revocation: Immediately revoke all existing user tokens.

Application Removal: Delete the entire application registration, revoke all granted permissions, and remove associated service principals.

Continuous monitoring of internal (line-of-business) applications is advised, with automatic remediation to disrupt persistent unauthorised access. User training is also advised to help personnel recognise potentially malicious applications and to treat unexpected consent prompts with suspicion. Immediate reporting of unauthorised or unknown application authorisations is encouraged.