Cybersecurity threats keep getting smarter, and one of the latest can thwart the tools that we all use to protect our applications.
Researchers at Proofpoint have uncovered a sophisticated new wave of OAuth app attacks. Hackers are using legitimate OAuth applications to gain long-term access to business cloud environments, even after users reset their passwords or use multi-factor authentication (MFA). This raises the risk for serious data breaches, as hackers can gain ongoing access to your cloud networks.
OAuth App Attacks Explained
OAuth is a convenient and widely trusted technology that allows users to access applications using accounts like Google or Microsoft. It eliminates the need to type a password.
In OAuth application abuse cases, threat actors trick users into authorizing malicious apps that look legitimate. Once approved, these apps receive their own “tokens” with specific permissions to read emails, access files, or manage cloud data.
What makes these attacks especially concerning is that those tokens remain active even if the user enables MFA or changes their password later on. This means OAuth app attacks can give hackers undetected persistent cloud access for weeks or months.
Hackers Can Bypass MFA via OAuth
Typically, MFA is a reliable way to stop unauthorized intrusions. OAuth changes that equation.
Since the attacker isn’t technically logging into your account, they don't trigger MFA. Instead, the compromised app operates with the permissions you gave it. In a sense, your normally harmless apps become an insider threat.
OAuth consent phishing is especially dangerous for businesses that use SaaS platforms such as Microsoft 365, Google Workspace, or Slack. Once attackers gain that initial foothold, they can:
- Access sensitive files and emails
- Deploy new internal apps with custom permissions
- Move laterally across connected services
- Launch further attacks from inside your network
The SaaS token security risks are massive because traditional defenses like password resets or MFA alone won’t close the door once an OAuth token is issued. It’s also difficult to detect these attacks and cut off the hackers’ access. Attackers love these cloud account takeovers (also called ATOs) because bypassing MFA via OAuth is low-effort, high-impact, and scalable.
What You Can Do To Stop the Threat
While you can’t prevent every attack, you can make your environment much harder to exploit.
- Audit authorized apps: Regularly review which OAuth apps have been granted permissions, and remove anything suspicious or unnecessary.
- Implement conditional access policies: Restrict OAuth app usage to trusted apps or approved vendors.
- Educate your users: Teach employees to be cautious about consent screens and unexpected app access requests.
- Use advanced security monitoring: Invest in a solution that tracks OAuth token activity and alerts you to abnormal behavior.
As persistent cloud access exploits become more sophisticated, cybersecurity strategies must evolve as well. The seconds that it takes to enter a password can prevent days or weeks of downtime and the consequences of a breach.
OAuth has made our digital lives more convenient, but that convenience comes with new risks. If your business relies on cloud apps, now’s the time to strengthen your defenses against OAuth app attacks.
