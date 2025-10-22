Identity

OAuth apps exploited for persistent compromise

Hacking the security. The threat of information leakage and the security of the system. Red open padlock among closed black ones. Close the gap, fix the problem.

(Adobe Stock)

Threat actors have been leveraging OAuth apps to ensure persistence within hacked environments, according to Cybernews.

Initial compromise of an email account believed to have been facilitated by a phishing attack was used by attackers to establish illicit mailbox rules and register a nefarious internal app with 'Mail.Read' and 'offline_access' permissions given OAuth tokens, which allowed continued access to the impacted account even after its password was changed, a report from Proofpoint revealed.

"The strategic value of this approach lies in its persistence mechanism: even if the compromised user's credentials are reset or multifactor authentication is enforced, the malicious OAuth applications maintain their authorized access," said researchers.

Organizations detecting suspicious activity have been urged to promptly revoke all client secrets and existing certificates to prevent new token requests. Application registration and all previously given permissions should also be removed, according to researchers, who also recommended the omission of all related service principals.



Securing third‑party access to disrupt the supply chain attack path

This article summarizes a recent SC webcast with host Adrian Sanabria, David Gwizdala, Senior Sales Engineer at Ping Identity, and Mark Wilson, B2B IAM Go‑To‑Market lead at Ping Identity. They discussed how mismanaged identities, insufficient access policies, and weak verification controls expose organizations to downstream threats -- and how to apply end-to-end Identity Lifecycle Protection as a solution.

