Hackers Exploit OAuth Apps to Keep Cloud Access Even After Password Resets

Cloud account takeover attacks have evolved beyond simple credential theft. Cybercriminals are now exploiting OAuth applications to maintain persistent access to compromised environments, bypassing traditional security measures like password resets and multifactor authentication.

Cloud account takeover (ATO) attacks have become a significant concern in recent years, with cybercriminals and state-sponsored actors increasingly adopting malicious OAuth applications as a means to gain persistent access within compromised environments.

These attacks allow malicious actors to hijack user accounts, conduct reconnaissance, exfiltrate data, and launch further malicious activities.

Proofpoint researchers have demonstrated how these attacks can be fully automated, and threat actors are already actively exploiting these vulnerabilities in the wild.

The security implications are particularly concerning. Once an attacker gains access to a cloud account, they can create and authorize internal (second-party) applications with custom-defined scopes and permissions.

This capability enables persistent access to critical resources such as mailboxes and files, effectively circumventing traditional security measures like password changes.

To better understand and demonstrate this attack vector, Proofpoint researchers have developed a tool that automates the creation of malicious internal applications within a compromised cloud environment.

This provides an in-depth technical analysis of that tool and its implications for enterprise security. Additionally, real-world incidents detected through telemetry offer concrete evidence of how threat actors are actively exploiting such vulnerabilities in the wild.

Understanding OAuth Application Types

In the context of cloud environments, particularly Microsoft Entra ID, it’s crucial to understand the distinction between second-party and third-party applications.

Second-party applications are registered directly within an organization’s tenant. Also known as internal applications, they are generally created and managed by the organization’s administrators or users with appropriate privileges.

Second-party applications inherit a level of implicit trust within the environment, as they originate from within the organization’s own directory.

Third-party applications are registered in external tenants and request access to resources in other organizations’ tenants. Common examples include widely-used services like Zoom or DocuSign.

Application creation process. In the example the app name is 'justSOMEniceAPP'.Application creation process. In the example the app name is 'justSOMEniceAPP'.
Application creation process. In the example the app name is ‘justSOMEniceAPP’. 

Third-party applications typically undergo additional scrutiny through administrative consent workflows and organizational security policies before being granted access.

This distinction is particularly relevant from a security perspective, as threat actors often prefer creating second-party applications during post-exploitation phases.

These internal applications can be more difficult to detect and may bypass security controls designed primarily for external application monitoring.

How Attackers Establish Persistent Access

Cybercriminals often leverage a combination of techniques to gain initial access to cloud user accounts. One common tactic is the use of reverse proxy toolkits accompanied by individualized phishing lures that enable the theft of credentials and session cookies.

Once the attackers have stolen a user’s login credentials, they can establish unauthorized access to the targeted accounts, setting the stage for the next phases of the attack.

This visibility in standard administrative interfaces underscores the importance of regular application auditing and monitoring, as malicious applications may blend in with legitimate business applications unless specifically scrutinized. 

Location of application secrets in Microsoft Azure.Location of application secrets in Microsoft Azure.
Location of application secrets in Microsoft Azure.

Following successful initial access, attackers often pivot to creation and deployment of malicious OAuth applications. This process typically involves leveraging the compromised account’s privileges to register new internal applications, configuring specific permissions and API scopes for maximum impact, and authorizing these applications to access critical organizational resources.

The strategic value of this approach lies in its persistence mechanism: even if the compromised user’s credentials are reset or multifactor authentication is enforced, the malicious OAuth applications maintain their authorized access.

This creates a resilient backdoor that can remain undetected within the environment indefinitely, unless specifically identified and remediated.

Proofpoint researchers have developed an automated toolkit which demonstrates methods by which threat actors establish persistent access through malicious OAuth applications.

The proof-of-concept implements several key capabilities that mirror real-world attack scenarios, including automated OAuth application registration and configuration, customizable permission scope selection, persistent access mechanism independent of user credentials, and configurable application naming conventions.

Starting from an initially compromised account, the tool streamlines the post-exploitation process through automated application creation.

While this demonstration uses randomized application names, real-world threat actors typically employ deceptive naming strategies that mimic legitimate business applications to avoid detection.

During the automated deployment process, an application is registered with pre-configured permission scopes that align with the attacker’s objectives.

A critical aspect of this implementation is the ownership attribution: the compromised user account becomes the registered owner of the newly created application, effectively establishing it as a legitimate internal resource within the organization’s environment.

This ownership model provides several tactical advantages. The application appears as an internally developed resource and the authentication requests originate from within the organization’s tenant.

The application inherits trust relationships associated with internal resources, and standard third-party application security controls may not detect or flag this activity.

Upon successful application registration, the tool automatically establishes two critical authentication components: application secret generation and token harvest.

The tool first creates a cryptographic client secret for the application, which serves as the application’s own authentication credential. The automation then proceeds to collect multiple OAuth token types, including an access token, a refresh token, and an ID token.

Following the password reset, the tool demonstrates the sustained effectiveness of the malicious application’s access through several key activities.

It successfully retrieves user mailbox contents and maintains continuous access to incoming and historical emails, now operating independently of user credential changes.

User emails accessed even after password change. User emails accessed even after password change.
User emails accessed even after password change. 

The scope of unauthorized access extends well beyond email, encompassing SharePoint documents, OneDrive stored files, Teams messages, calendar information, organizational contacts, and other Microsoft 365 resources.

Real-World Attack Observed in the Wild

Proofpoint telemetry revealed a real-world account takeover incident that persisted for four days. The initial compromise was detected through a successful login attempt using a user agent signature most likely associated with Adversary-in-the-Middle (AiTM) phishing attacks, specifically the Tycoon phishing kit.

Demonstration of user password change. Demonstration of user password change.
Demonstration of user password change. 

The threat actor, operating through US-based VPN proxies, executed several malicious actions: created malicious mailbox rules, registered an internal application named ‘test’, and added application secrets with Mail.Read and offline_access permissions, enabling persistent access to the victim’s mailbox even after password changes.

After approximately four days, the user’s password was changed, following which failed login attempts were observed from a Nigerian residential IP address, suggesting the threat actor’s possible origin. However, the application remained active.

This case study serves as a concrete example demonstrating that these threats are not merely theoretical, but active, exploited risks in the current threat landscape.

Follow us on Google NewsLinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.

Source link

Visited 1 times, 1 visit(s) today

Related Article

Drowning in stress? You’re not alone – and this app could be your lifeline

I wonder if you would describe yourself as stressed. Money is tight, and the bills are piling up. Family members are ill. The boiler has failed again, and the temperature is dropping fast. The children argue like it’s an Olympic sport. These are common problems that affect all of us, and oftentimes they can leave

YouTube Shares New Report on the Growth In-App Shopping

YouTube has published its latest “Culture and Trends” report, which this time around looks at shopping in the app, and how the platform is becoming a bigger hub for both product discovery and purchase, with a particular focus on creator-originated products. Based on analysis of the platform’s top 5,000 most-purchased products from the first half

Why Some Apps Ask for Contacts (and What They Actually Do With Them)

Summary Many apps (social, browsers, games) request contact access even when it’s unnecessary. Allowing access lets apps upload and share your entire address book beyond your control. Contacts get sold, cross-referenced, and used for spam, scams, or building ghost profiles. What do Pinterest, Microsoft Edge, TikTok, and Instagram have in common? They all try to

Snap OS Gets In-App Payments, Permission Alerts, UI Kit, Mobile Kit, EyeConnect

Snap OS now has in-app payments, a UI Kit, a permissions system for raw camera access, EyeConnect automatic colocation, and more. What Are Snap OS, Snap Spectacles, And Snap Specs? If you’re unfamiliar, the current Snap Spectacles are $99/month AR glasses for developers ($50/month if they’re students), intended to let them develop apps for the Specs consumer product the

Cops recover, return lost mobile phones to owners | Prayagraj News

Prayagraj: Prayagraj police recovered and handed over 135 lost mobile phones worth about Rs 35 lakh to their owners on Saturday. This operation followed several complaints from the public about missing phones.Utilising technical investigation methods, the surveillance cell traced and confiscated the devices. Evidence such as call detail records, CCTV footage, location tracking, and the

Apps like Robinhood, Kalshi worry California gaming tribes more than online fantasy sports

Apps like Robinhood, Kalshi worry California gaming tribes more than online fantasy sports | California Politics 360 ATTORNEY GENERAL ROB BONTA ISSUED THE LEGAL OPINION, BUT NOT MUCH HAS CHANGED. THE CHAIRMAN OF THE CALIFORNIA NATION’S INDIAN GAMING ASSOCIATION JOINS US NOW. CHAIRMAN JAMES SIVA, THANK YOU SO MUCH FOR BEING WITH US. ABSOLUTELY. THANK

Six Free Apps You Need to Download Today

When your phone stops feeling like a slot machine and starts behaving like a quiet assistant, life gets calmer. I’ve been testing a handful of under-the-radar apps that court practical wins — chores, meds, plants, stretching, subscriptions and cooking — without piling on the subscription fatigue. Some have optional upgrades, but their core features are

UK regions receive additional £20 million to support science and technology growth

Three UK regions will receive an additional £20 million each to support science and technology development as part of a government initiative to drive innovation outside London and the South East. The Greater Manchester, West Midlands and Glasgow City regions will see their total funding rise to £50 million each through the Local Innovation Partnerships