Hackers Using OAuth Apps in Microsoft Entra ID to Establish Persistence

Hackers are increasingly abusing OAuth applications in Microsoft Entra ID to gain persistent access, blending in as normal “business integrations” while keeping access even after defenders reset passwords.

Recent Wiz research and incident reporting show attackers using fake OAuth apps, deceptive consent prompts, and redirect URLs to steal tokens and maintain long-term footholds in Microsoft 365 environments.

proactive detection pipeline that flags emerging malicious OAuth apps across dozens of organizations (source: wiz)

How the persistence works

In Microsoft Entra ID, an app registration creates an application object in the app’s “home” tenant. That application object acts as a blueprint for service principals created in other tenants where the app is used.

A service principal is the local identity for the app in a tenant and defines what the app can do in that tenant, including which resources it can access once permissions are granted through registration or consent.

Attackers exploit this model by convincing a user (or admin) to grant consent to a malicious or attacker-controlled OAuth app, which can establish an integration that functions like an always-on access path.

Single global App ID for Teams unique Service Principal ID per company( source : .wiz) — Single global App ID for Teams, unique Service Principal ID per company (source: wiz)

MITRE notes adversaries can use OAuth app integrations for persistence, including by granting consent from a high-privileged account to maintain access even if they later lose that account.

In some cases, these integrations can remain valid even after the original consenting user is disabled, and they may also help bypass MFA via application access tokens.

Wiz recently described real-world tricks that make a consent screen look legitimate. However, the app name uses a trick such as starting with a zero instead of the letter “O.”

Introduced a detection pipeline called “OAuth Apps Scout” to surface emerging malicious OAuth applications. Threat reporting from Proofpoint tied fake Microsoft OAuth applications to campaigns observed in early 2025.

Impersonated apps (including Adobe and DocuSign themes) redirected victims into attacker-in-the-middle phishing flows using kits such as Tycoon.

The attack enticed users to approve OAuth consent for fake document-sharing apps( source : wiz) — The attack enticed users to approve OAuth consent for fake document-sharing apps (source: wiz)

Proofpoint reported attempted account compromises affecting nearly 3,000 user accounts across more than 900 Microsoft 365 environments in 2025, with a confirmed success rate exceeding 50%.

Defensive steps

Microsoft’s consent model allows admins to decide whether user consent is required and to enforce conditions that require administrator review and approval.

Enabling an admin consent workflow can force “approval required” prompts when users aren’t allowed to consent, shifting risky app authorization decisions to designated reviewers.

Operationally, defenders should treat OAuth apps and service principals as inventory that must be continuously reviewed.

With special scrutiny for new or low-prevalence apps, unusual redirect/reply URLs, and high-impact permissions that don’t match an app’s stated purpose.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

Original article can be found here

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.