Attackers abusing OAuth to maintain access long after passwords are reset

Published: 21 October 2025
OAuth

Hackers are exploiting a loophole to retain access to hijacked user accounts, even after password resets and multi-factor authentication are enforced. They do this by creating internal malicious web apps and issuing OAuth tokens to maintain persistent access.

Researchers at Proofpoint, a cybersecurity firm, have warned about real-world cyberattacks in which hackers maintain persistence by issuing (OAuth) tokens to their malicious web apps.

Despite user attempts to reset passwords and enforce multifactor authentication, the OAuth token – a string of symbols issued to third-party apps that acts as a key – remains valid. Hackers can retain access to email and other accounts and wreak havoc.

ADVERTISEMENT

“OAuth applications can be used to gain persistent access within compromised environments,” a new report about weaponizing OAuth applications reads.

In one case, an attacker took over the victim’s account, likely after a phishing attack. It went unnoticed for four days and the attacker used US-based VPN proxies to perform malicious activities, such as creating malicious mailbox rules.

Four days later, the user changed the password. The hacker tried to log in again from a Nigerian residential IP address, but the attempt was unsuccessful.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

However, the attacker still retained access to the account. While in control of the account, the hacker registered an internal app named “test,” and granted it secrets with “Mail.Read” and “offline_access” permissions. This enabled persistent access to the victim’s mailbox even after password changes.

“Once an attacker gains access to a cloud account, they can create and authorize internal (second-party) applications with custom-defined scopes and permissions. This capability enables persistent access to critical resources such as mailboxes and files, effectively circumventing traditional security measures like password changes,” the Proofpoint researchers warn.

A novel persistence mechanism

Second-party applications are internal and used by the organization’s admins or users. As they originate from within the organization's own directory, they inherit a high level of implicit trust within the environment.

ADVERTISEMENT

For a long time, hackers have also been actively exploiting third-party apps. They register malicious apps that impersonate popular services like Zoom or DocuSign and then try to request access via social engineering attacks. The third-party apps now usually face extra checks and approvals before being allowed to access accounts.

Has my data been leaked?
Check Now

Internal apps are more difficult to detect, and they can bypass many security measures, including third-party app monitoring.

“The strategic value of this approach lies in its persistence mechanism: even if the compromised user's credentials are reset or multifactor authentication is enforced, the malicious OAuth applications maintain their authorized access,” the researchers warn.

Proofpoint has also demonstrated that this persistence mechanism is easy to automate: their proof of concept code automates OAuth app registration and configuration, selects permissions, and grants access independent of user credentials. The victim itself becomes the registered owner of the newly created malicious app.

The researchers tested it on a Microsoft account. Despite the password change, the malicious app maintained full access and successfully retrieved the user's mailbox content. Access extends well beyond email, and, depending on the malicious app permissions, may include the following:

  • SharePoint documents and collaborative content
  • OneDrive stored files
  • Teams messages and channel data
  • Calendar information
  • Organizational contacts
  • Other Microsoft 365 resources

Access can only be removed by manually revoking the granted permissions or after the expiration of the secret credentials, which were set to remain valid for two years.

This means that revocation of tokens and other secret keys is an immediate critical step upon the discovery of suspected malicious activity.

“Immediately invalidate all client secrets. Remove all existing certificates. This immediately terminates the application's ability to request new tokens,” the advisory reads. “Delete the entire application registration and revoke all previously granted permissions. Remove all associated service principals.”

ADVERTISEMENT

The researchers also recommend implementing continuous monitoring of internal apps.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT