Hackers Exploit OAuth to Bypass Password Resets

Hackers exploit OAuth applications to maintain persistent access to cloud environments, even after victims reset passwords or enable multifactor authentication. Researchers at Proofpoint identified a growing trend where cybercriminals and state-backed actors use trusted Microsoft Entra ID mechanisms to bypass conventional account protections. Once inside, attackers register internal applications with custom permissions, enabling access to mailboxes, files, messages and calendars.

These internal apps operate under implicit trust and are harder to detect than third-party apps. Hackers exploit OAuth by assigning the compromised user as the app owner, allowing the application to blend into the organization’s ecosystem. Attackers automate this process, generating long-term authentication credentials and collecting tokens to sustain access.

In one incident, a malicious app named ‘test’ maintained unauthorized access for four days despite a password reset. Proofpoint’s investigation underscores the need for proactive auditing to uncover these embedded threats.

Read the full article at: https://cybersecuritynews.com/hackers-weaponizing-oauth-applications/