Cybercriminals are exploiting a gap in OAuth token management to maintain long-term access to compromised accounts, even after password resets and multifactor authentication are applied. Proofpoint researchers have uncovered ongoing attacks where adversaries register internal malicious web applications to issue OAuth tokens, granting themselves sustained control over mailboxes, documents, and other cloud resources.
How Attackers Exploit OAuth to Maintain Unauthorized Access
The Proofpoint team described several incidents where attackers hijacked user accounts—typically via phishing—and then silently created internal OAuth applications within the victim’s environment. By issuing tokens with permissions such as “Mail.Read” and “offline_access,” adversaries established durable, credential-independent access.
One observed case showed the sequence clearly: an attacker compromised an account, operated covertly for four days through U.S.-based VPNs, and created a malicious internal app named “test.” Even after the victim reset their password and enabled multifactor authentication, the attacker retained mailbox access through the previously issued token.
“Once an attacker gains access to a cloud account, they can create and authorize internal applications with custom-defined scopes and permissions. This capability enables persistent access to critical resources such as mailboxes and files, effectively circumventing traditional security measures like password changes,” Proofpoint researchers warned.
These tokens function as cryptographic keys that remain valid until explicitly revoked, meaning that resetting credentials does not automatically terminate access granted via OAuth.
Internal OAuth Applications: A Trusted Attack Surface Inside the Organization
The persistence stems from how second-party (internal) OAuth applications are handled. Such apps originate within the organization’s own directory, so they inherit implicit trust and often bypass the scrutiny that third-party applications face. Unlike external apps—now typically gated by stricter approval processes—internal apps are rarely audited, allowing malicious registrations to persist unnoticed.
“The strategic value of this approach lies in its persistence mechanism: even if the compromised user’s credentials are reset or multifactor authentication is enforced, the malicious OAuth applications maintain their authorized access,” the researchers noted.
Proofpoint’s proof-of-concept demonstrated how easily attackers can automate this persistence. Their code registers and configures an OAuth app, grants it elevated permissions, and establishes ongoing access—independent of user credentials. The victim becomes the listed owner of the malicious app, further complicating detection efforts.
Technical Scope of Impact Across Microsoft 365 Services
The Proofpoint team tested the exploit using a Microsoft 365 account. Even after passwords were changed, the malicious OAuth app maintained uninterrupted access and successfully retrieved mailbox contents. Depending on the permissions granted, adversaries could access:
- SharePoint repositories and collaborative workspaces
- OneDrive-stored files
- Teams messages and channel communications
- Calendar and scheduling data
- Organizational directories and contacts
Access persisted for as long as the OAuth secret remained valid—often up to two years—unless explicitly revoked. The attack effectively decouples persistence from user credentials, shifting the defensive focus to identity and application governance.
Recommended Mitigations and Defensive Actions
Security teams are urged to immediately review and harden their OAuth management practices. Proofpoint’s advisory outlined several critical countermeasures:
- Immediately invalidate all OAuth client secrets and remove associated certificates to terminate the malicious app’s ability to issue new tokens.
- Delete the compromised application registration and revoke all previously granted permissions and service principals.
- Implement continuous monitoring of internal app creation and authorization events to detect anomalous behavior.
- Enforce least-privilege OAuth permissions and conduct periodic reviews of app scopes across cloud tenants.
- Deploy conditional access policies that flag or block unapproved internal app registrations.
Revocation of OAuth tokens and secrets is a crucial first response to suspected account compromise. Traditional measures—like credential resets—no longer suffice once malicious internal applications have been authorized.
Proofpoint researchers concluded that the abuse of internal OAuth mechanisms represents a new class of persistence technique that blends social engineering, identity compromise, and cloud-native exploitation. As cloud ecosystems expand, organizations must extend their defensive visibility beyond credentials to include the OAuth trust fabric itself.
