Hackers are increasingly abusing OAuth applications in Microsoft Entra ID <\/a>to gain\u00a0persistent\u00a0access, blending in as normal \u201cbusiness integrations\u201d while keeping access even after defenders reset passwords.<\/p>\n Recent Wiz research and incident reporting show attackers using fake OAuth apps, deceptive consent prompts, and redirect URLs to steal tokens and maintain long-term footholds in Microsoft 365 environments.<\/a><\/p>\n In Microsoft Entra ID<\/a>, an app registration creates an application object in the app\u2019s \u201chome\u201d tenant. That application object acts as a blueprint for service principals created in other tenants where the app is used.<\/p>\n A service principal is the local identity for the app in a tenant and defines what the app can do in that tenant, including which resources it can access once permissions are granted through registration or consent.\u200b<\/p>\n Attackers exploit this model by convincing a user (or admin) to grant consent to a malicious or attacker-controlled OAuth app, which can establish an integration that functions like an always-on access path.<\/p>\n MITRE notes adversaries can use OAuth app integrations for persistence<\/a>, including by granting consent from a high-privileged account to maintain access even if they later lose that account.<\/p>\n In some cases, these integrations can remain valid even after the original consenting user is disabled, and they may also help bypass MFA via application access tokens.<\/p>\n Wiz recently described real-world tricks<\/a> that make a consent screen look legitimate. However, the app name uses a trick such as starting with a zero instead of the letter \u201cO.\u201d<\/p>\n Introduced a detection pipeline called \u201cOAuth Apps Scout\u201d to surface emerging malicious OAuth applications.\u200b Threat reporting from Proofpoint tied fake Microsoft OAuth applications to campaigns observed in early 2025.<\/p>\n Impersonated apps (including Adobe and DocuSign themes<\/a>) redirected victims into attacker-in-the-middle<\/a> phishing flows using kits such as Tycoon.<\/p>\n Proofpoint reported attempted account compromises affecting nearly 3,000 user accounts across more than 900 Microsoft 365 environments in 2025, with a confirmed success rate exceeding 50%.\u200b<\/p>\n Microsoft\u2019s consent model allows admins to decide whether user consent is required and to enforce conditions that require administrator review and approval.<\/p>\n Enabling an admin consent workflow can force \u201capproval required\u201d prompts when users aren\u2019t allowed to consent, shifting risky app authorization decisions<\/a> to designated reviewers.\u200b<\/p>\n Operationally, defenders should treat OAuth apps and service principals as inventory that must be continuously reviewed.<\/p>\n With special scrutiny for new or low-prevalence apps, unusual redirect\/reply URLs, and high-impact permissions that don\u2019t match an app\u2019s stated purpose.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Hackers Using OAuth Apps in Microsoft Entra ID to Establish Persistence<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgqQo_DqAm04oYnP-gRurWbhVYqh1QDKV8R6iS6FsrF8sf9mSoYJrrCaKxF5P-uLpyiXK4PzO3rl699paLUVkSyah5dQM-yJfFIgJeu-xOHq1ijR0b9eEux4vQdWUtA_ta5JZOEuIIPtjy3J9UY0jATDOrp86sc3HIdOMNqxV5dNybeS4ySR0FcYlTINXw\/s1600\/Screenshot%25202026-02-19%2520193000%2520%25281%2529.webp?ssl=1\")
How the persistence works<\/strong><\/h2>\n
![\"Single](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiE13jZT8HVDYrJEK8PDjUlEv2dq984FfUOTcrywfgedfEt6RAe6ht9OUVUem59uVTcLbybuwVJLkW9hDVX1Gx4Pa628OVJLmxDK-463t3KegcNJciRyq33u6skRLIARkYzKOZPFdGoco1g9LdZQgoTXMMKT5Oevp3zG3ZNdb5yCox1pz-Gl91nshixZUA\/s1600\/Screenshot%25202026-02-19%2520192924%2520%25281%2529.webp?ssl=1\")
![\"The](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgalBE9zIB5MXTEkCG3k9E_WNqONtdU_WDtY-UA75ghcQdC1ZPT1HCNb0BXcG4Rm5XryfIbUwT4QjXitIyJ2J9G-FZMk-2qmw8z2CmDntGJEMjkB7MloquJcTLSodRla_3X_no8na0zdOloQA1RYvoAJnjRvKYMcfsg18O33twBjVnIvfPVeED_DODwN8s\/s1600\/Screenshot%25202026-02-19%2520192845%2520%25281%2529.webp?ssl=1\")
Defensive steps<\/strong><\/h2>\n