You Granted What? The Rise of OAuth Attacks to Access Sensitive Systems

OAuth attacks are rapidly emerging as a favored tactic by cybercriminals targeting SaaS ecosystems. The growing wave of OAuth attacks isn't coincidental either—it's strategic. These attacks are difficult to detect, often bypass traditional controls, and provide direct access to business-critical systems.  

OAuth permissions are also deceptively easy for users to grant, and impersonating authorization requests via emails, Slack, and Teams is a low-effort, high-reward tactic. With so many apps in use across the enterprise, malicious ones can easily blend in. To compound the issue, sophisticated threat actors now leverage AI to craft polished phishing emails and make malicious apps look like trusted platforms to deceive even tech-savvy users, including extension developers.

The recent attacks targeting Microsoft 365, GitHub, Cyberhaven, as well as the highly sophisticated Midnight Blizzard attack on Microsoft are perfect examples. While security teams spend resources hardening identity access, endpoint detection, and cloud security posture, OAuth remains an under-protected backdoor waiting to be exploited.

The problem stems from the fact that most security teams lack the necessary visibility into which applications have been granted risky OAuth scopes, making it nearly impossible to proactively defend against these attacks.

Breaking Down Recent OAuth Attacks and Tactics

Recent attacks demonstrate how adversaries leverage OAuth to bypass traditional security controls.  

Malicious OAuth Applications

Similar to the Cyberhaven attack, threat actors deployed malicious OAuth applications disguised as legitimate services. In this latest incident, Microsoft OAuth apps masquerading as Adobe Acrobat and DocuSign tricked users into granting broad permissions. Once approved, these applications redirected users to phishing sites, installed malware, and stole Microsoft 365 account credentials—all without triggering security alerts.

GitHub developers were also targeted in a separate attack. Threat actors sent deceptive security alerts that prompted developers to authorize a rogue OAuth application. Once permissions were granted, attackers could access private repositories, inject malicious code, or exfiltrate proprietary data—without requiring stolen credentials or breaching corporate networks.

Using OAuth Permissions to Extend Reach

Midnight Blizzard, a Russian nation-state threat group, demonstrated OAuth’s power in an attack against Microsoft last year. After securing initial access, the attackers compromised and manipulated OAuth applications to gain broad access to corporate email systems. They created additional OAuth apps with elevated permissions, leveraging the already compromised application to further entrench their access. By abusing OAuth tokens, they bypassed MFA and maintained persistent access, allowing them to exfiltrate sensitive data undetected.

Consent Phishing to Grant OAuth Permissions

Similarly, the Cyberhaven breach illustrated another OAuth-based risk: a consent phishing campaign resulting in an employee unknowingly granting excessive permissions which were later used as an entry point for data exfiltration. This highlights an issue beyond malicious attacks—well-intentioned users can inadvertently introduce risk by authorizing applications with unverified OAuth applications.

These incidents highlight a fundamental issue: OAuth’s token-based trust model is being weaponized to create persistent access that is extremely difficult to detect and remediate.

OAuth Scopes: A Growing Security Blind Spot

While OAuth scopes are designed to grant granular access, many applications request far more permissions than they actually need. Worse, many security teams lack the ability to continuously monitor which applications have been granted, how the permissions were granted (by a person or by an app) and whether they pose a risk.

The problem is exacerbated by:

• User-procured shadow SaaS: Employees are increasingly interconnecting third-party applications with business-critical systems and data stores. Granting OAuth scopes is often just a single click, making it deceptively easy for users to authorize access they don’t fully understand. As a result, employees may unknowingly grant excessive permissions or unverified apps that introduce significant security and compliance risks.  

• Overprivileged OAuth grants: Users frequently approve applications with excessive permissions, often due to deceptive app descriptions.

• Lack of centralized visibility: Security teams struggle to track which apps have been authorized and what data they can access, often leaving OAuth permissions active after an employee leaves the company.

• Token persistence: OAuth tokens are often not subject to the same security policies as user credentials; controls like MFA are typically not enforced on them. This makes OAuth apps a prime target for attackers seeking covert access to sensitive environments.

• Limited revocation awareness: Even when security teams discover risky applications, the process for revoking OAuth permissions is inconsistent across platforms, leaving gaps in security.

Regaining Control Over OAuth Security

OAuth security remains a significant challenge; the key to mitigating the risks is implementing the right tools and gaining insights to efficiently manage OAuth scopes across an organization. This includes:

1. Gaining visibility into OAuth permissions. Complete visibility into which applications are authorized, which OAuth scopes have been granted, and which pose the highest risk is critical to effectively managing OAuth-related threats. This includes both sanctioned and unsanctioned applications, especially as shadow SaaS continues to expand within organizations. Traditional identity security solutions often lack this granularity, making purpose-built tools essential.

2. Implementing continuous monitoring and risk scoring. Monitoring OAuth activity in real time can help detect anomalies, such as newly unauthorized apps requesting excessive permissions or unusual data access patterns. Automated risk scoring can highlight applications that need immediate review or revocation.

3. Enforce strict access controls and governance. Limit OAuth authorization to pre-approved, trusted applications. Implement policies that prevent users from granting permissions to unvetted third-party apps, and ensure that permission requests align with business needs.

4. Revoke unused or high-risk permissions regularly. Periodically review OAuth grants and revoke access to applications that are no longer in use or that request overly broad permissions. This reduces the risk of unauthorized access through dormant applications.

How Grip Helps Security Teams Stay Ahead of OAuth Threats

Grip’s SaaS Security Control Plane and browser extension, Grip Extend, both provide security teams with the visibility and control needed to manage OAuth security effectively, including permissions granted to shadow applications. By continuously monitoring OAuth grants, identifying high-risk applications, understanding OAuth trends, and providing automated remediation, Grip helps organizations eliminate blind spots and mitigate the risks associated with excessive OAuth permissions.

See how it works in this self-guided tour:

Key capabilities include:

• Real-time OAuth visibility: Instantly see which applications have been granted permissions across the entire SaaS ecosystem.

• Automated risk assessment: Identify overprivileged applications and risky OAuth scopes with contextual risk analysis.

• Proactive remediation: Quickly revoke excessive permissions and prevent users from authorizing untrusted applications.

OAuth management is an essential part of SaaS security. Organizations that fail to address it risk being blindsided by an attack they never saw coming. With the right visibility, controls, and automated remediation, security teams can take back control and stop OAuth-based risks before they escalate. To discuss how Grip can help you proactively and effectively secure your SaaS environment, book time with our team.

‍