Hackers Using Microsoft Entra ID OAuth Applications In order to obtain persistent access, hackers are increasingly abusing OAuth applications in Microsoft Entra ID. These applications pass for legitimate "business integrations," maintaining access even after password resets by defenders. According to recent Wiz research and incident reports, attackers steal tokens and sustain long-term footholds in Microsoft 365 environments by using phony OAuth apps, misleading consent prompts, and redirect URLs.

proactive detection pipeline that identifies new malicious OAuth applications in dozens of organizations (source: wiz) The persistence mechanism An application object is created in the app's "home" tenant upon app registration in Microsoft Entra ID. For service principals developed in other tenants where the application is utilized, that application object serves as a template.

The app's local identity within a tenant is known as the service principal, which also specifies the resources the app can access after obtaining permissions through consent or registration. By persuading a user (or administrator) to give permission to a malicious or attacker-controlled OAuth application, which can create an integration that works similarly to an always-on access path, attackers take advantage of this model. Teams' single global App ID and distinct Service Principal ID per company (source: wiz) According to MITRE, adversaries can use OAuth app integrations for persistence, such as by giving permission from a high-privileged account to keep access even if they subsequently lose that account.

These integrations may help get around MFA by using application access tokens, and in certain situations, they may continue to function even after the original consenting user has been disabled. Wiz recently detailed practical methods for making a consent screen appear authentic. The app name, however, employs a trick by beginning with a zero rather than the letter "O."

launched the "OAuth Apps Scout" detection pipeline to uncover newly discovered malicious OAuth apps. Proofpoint's threat reporting linked campaigns seen in early 2025 to phony Microsoft OAuth applications. Using kits like Tycoon, impersonated apps (such as Adobe and DocuSign themes) led victims into attacker-in-the-middle phishing flows.

Users were tricked by the attack into granting OAuth consent for phony document-sharing apps (source: wiz). In 2025, Proofpoint reported that nearly 3,000 user accounts in over 900 Microsoft 365 environments had attempted account compromises, with a confirmed success rate of more than 50%. Defensive measures Microsoft's consent model gives administrators the authority to determine whether user consent is necessary and to impose requirements that need administrator approval.

Enabling an admin consent workflow can transfer risky app authorization decisions to designated reviewers by forcing "approval required" prompts when users are not permitted to consent. Operationally, OAuth apps and service principals should be viewed by defenders as inventory that needs to be regularly examined. Particular attention should be paid to apps that are new or uncommon, odd redirect/reply URLs, and high-impact permissions that don't align with the stated purpose of the app.

X, LinkedIn, and X for daily updates on cybersecurity. To have your stories featured, get in touch with us.