Hijacked OAuth Apps: Your Cloud’s Secret Backdoor

Security experts are raising the alarm about a sophisticated method cybercriminals use to maintain long-term access to corporate cloud systems. By hijacking internal OAuth applications, attackers can establish a stealthy backdoor that persists even after organizations reset passwords or activate multi-factor authentication (MFA). This technique allows unauthorized individuals to operate undetected for extended periods, posing a severe risk to sensitive company data.

OAuth serves as a widely-used authorization framework, enabling applications to securely interact with user accounts, such as those in Microsoft 365, without handling actual login credentials. Instead, it relies on access tokens. Malicious actors exploit this system by deceiving users into approving harmful third-party OAuth apps. In some cases, they manipulate targets into generating and handing over authorization codes, which are then converted into access tokens for rogue applications.

Another approach involves compromising high-level administrative accounts through phishing or credential theft. Once inside, attackers create or alter second-party, or internal, OAuth applications. These apps are registered directly within an organization’s own cloud environment, typically by authorized staff. Because they originate from inside the tenant, they are automatically trusted and can easily blend in with legitimate software, making them much harder to identify.

Researchers have developed a proof-of-concept toolkit that automates the setup of malicious internal OAuth apps. This tool registers an application with predefined permissions tailored to the attacker’s goals. Importantly, the compromised user account is listed as the app’s owner, making the malicious software appear as a genuine internal asset. Once deployed, the application uses its authentication code to obtain access, refresh, and ID tokens. These tokens remain functional regardless of whether the user changes their password, allowing the app to operate independently of credential updates.

Depending on the permissions assigned, a hijacked OAuth application can reach a wide range of corporate resources. This includes email correspondence, SharePoint documents, calendar entries, Teams messages and channel content, as well as files stored in OneDrive. Because these apps look like standard internal tools, they often go unnoticed. In one documented incident, attackers created an internal app named “test”, a label so ordinary it attracted no scrutiny.

Without proactive discovery and remediation, such an application remains an active threat until an administrator intervenes or the client secret expires naturally. Organizations should educate employees to recognize suspicious apps and unexpected consent prompts. Users must be encouraged to report any unusual application authorizations immediately.

If a malicious OAuth app is identified, remediation should involve revoking client secrets and user tokens, followed by complete removal of the application. Continuous monitoring of business applications and automated remediation processes can help prevent attackers from gaining persistent access. Taking these steps not only protects valuable resources but also disrupts the attacker’s ability to launch further offensive operations.

Stay informed about the latest security breaches, vulnerabilities, and cyber threats by subscribing to breaking news email alerts.

(Source: HelpNet Security)