Cloud account takeover attacks have evolved into a sophisticated threat as cybercriminals and state-sponsored actors increasingly weaponize OAuth applications to establish persistent access within compromised environments.
These malicious actors are exploiting the fundamental trust mechanisms of cloud authentication systems, specifically targeting Microsoft Entra ID environments where they can hijack user accounts, conduct reconnaissance, exfiltrate sensitive data, and launch subsequent attacks with alarming effectiveness.
The security implications of this attack vector are particularly severe because attackers can create and authorize internal second-party applications with custom-defined scopes and permissions once they gain initial access to a cloud account.
This capability enables persistent access to critical organizational resources including mailboxes, SharePoint documents, OneDrive files, Teams messages, and calendar information.
Traditional security measures like password resets and multifactor authentication enforcement prove ineffective against these attacks, as the malicious OAuth applications maintain their authorized access independently of user credential changes.
Proofpoint analysts identified this emerging threat pattern through extensive research and real-world incident analysis, developing an automated toolkit that demonstrates how threat actors establish resilient backdoors within cloud environments.
Their investigation revealed that attackers typically gain initial access through reverse proxy toolkits accompanied by individualized phishing lures that enable the theft of both credentials and session cookies.
Once inside, attackers leverage the compromised account’s privileges to register new internal applications that appear as legitimate business resources within the organization’s tenant.
The persistence mechanism operates through a carefully orchestrated process where attackers create second-party applications that inherit implicit trust within the environment.
Application creation process (Source – Proofpoint)
These internal applications are more difficult to detect than third-party applications because they bypass security controls designed primarily for external application monitoring.
The malicious applications can remain undetected within the environment indefinitely unless specifically identified through proactive security auditing, creating a substantial window of opportunity for data exfiltration and reconnaissance activities.
Automated OAuth Persistence: Technical Implementation
The technical sophistication of these attacks becomes evident through automated OAuth application registration and configuration processes.
Attackers deploy tools that streamline post-exploitation activities, registering applications with pre-configured permission scopes aligned with their objectives.
A critical aspect involves establishing the compromised user account as the registered owner of the newly created application, effectively positioning it as a legitimate internal resource that inherits trust relationships associated with internal systems.
During the automated deployment, attackers generate cryptographic client secrets that serve as the application’s authentication credentials, typically configured with extended validity periods of up to two years.
Tokens collected (Source – Proofpoint)
The automation then collects multiple OAuth token types including access tokens, refresh tokens, and ID tokens, each serving distinct purposes in maintaining persistent access.
Proofpoint researchers documented a real-world incident where attackers operating through US-based VPN proxies created an internal application named ‘test’ with Mail.Read and offline_access permissions, maintaining access for four days even after the victim’s password was changed.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Weaponizing OAuth Applications for Persistent Cloud Access Even After Password Reset appeared first on Cyber Security News.
