Attackers turn trusted OAuth apps into cloud backdoors

Attackers are increasingly abusing internal OAuth-based applications to gain persistent access to cloud environments, Proofpoint researchers warn.

These apps often remain unnoticed for quite some time and allow attackers to maintain access to high-privileged accounts even after passwords are reset or multifactor authentication (MFA) is enforced.

What is OAuth and how do attackers exploit it?

OAuth is an authorization protocol that lets apps connect to your account (e.g., M365) safely by using special access tokens instead of your username and password.

Threat actors often trick users into granting malicious third-party (external) OAuth applications access to their accounts. Occasionally, attackers also try to trick targets into creating and sharing authorization codes that will be exchanged for access tokens used by malicious OAuth apps.

Attackers have also been known to compromise high-privilege (e.g., admin) accounts via phishing or password attacks and then using those accounts to create new or modify existent second-party (internal) OAuth applications to achieve their goals.

Second-party applications are registered directly within an organization’s tenant, and are generally created and managed by the organization’s administrators or users with appropriate privileges, Proofpoint researchers explained. As such, they are inherently trusted by organizations and can be more difficult to detect.

Attackers could automate the creation of malicious internal OAuth apps

The researchers have created (but did not make publicly available) a proof-of-concept toolkit that automates the registration and configuration of OAuth applications.

The Future Account Super-Secret Access tool (Source: Proofpoint)

“During the automated deployment process, an application is registered with pre-configured permission scopes that align with the attacker’s objectives. A critical aspect of this implementation is the ownership attribution: the compromised user account becomes the registered owner of the newly created application, effectively establishing it as a legitimate internal resource within the organization’s environment,” they noted.

The applications’ authentication code is used to get access, refresh and ID tokens, which will continue to be valid even if the account password is changed.

“The app now operates independently of user credential changes,” they emphasized. Depending on the configured permissions, it can access a variety of resources: emails, SharePoint documents, Calendar information, Teams messages and channel data, files stored in OneDrive, etc.

Training, monitoring, and quick remediation are key

While the malicious application is visible within the Microsoft Entra ID administrative interface, it may seamlessly blend in with legitimate business applications used within the organization. In a recent real-world attack Proofpoint uncovered, the attackers created an internal app called “test” – a name unlikely to draw any attention.

“Without active discovery and remediation efforts, the application remains a viable attack vector until either administrative action is taken, or the client secret naturally expires,” the researchers added.

Organizations are advised to train their users to spot malicious apps and tenants that seem credible, treat unexpected consent requests as suspicious and promptly report unusual application authorizations. 

If such an application is discovered, remediation should include client secret and user token revocation, and the removal of the application.

“By continuously monitoring your line-of-business apps and applying automatic remediation, you may prevent attackers from establishing persistent access to valuable resources. This can also help to stop them from launching more attacks,” they concluded.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!