Malicious OAuth apps show how approval workflows can introduce risk in identity platforms  

OAuth Abuse in Entra ID: What It Shows About Approval Processes and Trust 

Recent OAuth Attacks Force a Look at Endpoint Security

As reported by Expert Insights, a recent blog from Wiz on detecting malicious OAuth applications targeting Microsoft Entra ID users highlights a type of attack that doesn’t rely on malware, ransomware or stolen passwords. Instead, attackers are using phishing campaigns to convince users to approve access to applications that appear legitimate.

Researchers identified multiple fake OAuth apps that impersonated well-known services using processes that users encounter every day. When a user clicks “Accept”, the app uses that permission to read email, access files, or interact with data inside the tenant. Because this access is given through typical workflows, activity continues even after a password reset or a change to multi-factor authentication.

OAuth applications are not executable software, and these attacks do not bypass endpoint application control tools. However, it highlights a broader issue for security teams: risk introduced through legitimate approval processes.

How are Attackers Using OAuth?

Designed to allow third-party applications to access data without exposing user credentials, OAuth allows a user to sign in and review permissions requested by an application. When the user allows access, a service principal is created in the organization’s environment, and the application receives tokens that allow it to access approved resources.

This lets attackers take actions such as:

• Register applications that look like trusted or known brands
• Use homoglyph characters or names, making it difficult to identify what is legitimate vs illegitimate
• Send phishing messages directing users to provide additional consent for access
• Request access or permissions to highly sensitive data such as email or files
• Review who can grant OAuth consent and whether admin approval is required for higher risk permissions, including PII or sensitive company data
• Audit existing access and third-party applications regularly
• Monitor newly installed or accessed apps that request broad access or access beyond necessity
• Teach users and reinforce how consent prompts work and how to assess access requests before they are granted

You can imagine the potential impact. With application access approved and granted, there is no need for stolen credentials. Detection is much harder because the activity appears to follow normal usage patterns.

These attacks reinforce why it is so important to understand how user consent is managed, how new applications are introduced, and the visibility needed by security teams to audit existing OAuth access across users.

The Impact on Endpoint Control

It is important to separate identity-layer risks from endpoint execution risk and control.

OAuth applications live in the cloud identity and authorization layer and don’t represent software executing on an endpoint device. As they are not subject to application allowlisting or execution controls, blocking or approving an OAuth application is handled through identity governance, conditional access policies, and tenant administration — not endpoint enforcement.

For organizations that use application control on endpoints, this distinction matters. Endpoint tools cannot prevent a user from giving OAuth access in Entra ID, just as identity tools do not control which binaries run locally on a device.

Understanding the differences between these two security approaches helps teams apply the right controls to the right problems.

The Common Thread: Approval Without Review

While OAuth abuse sits outside the endpoint layer, it highlights a pattern that security teams encounter across disparate parts of the environment.

Increasingly, attackers are not forcing their way past controls – they are finding ways to operate inside the applications, tools and workflows organizations already allow. (Read about Living Off the Land [LOTL] Attacks.)

When it comes to endpoint security, a similar risk appears when software is introduced without a clear approval process or when organizations rely on default trust rather than Deny by Default security and making deliberate choices about what applications, tools and code should be allowed to run.

One thing rings true across both scenarios: approvals happen faster than governance processes can keep up.

How Security Teams Are Addressing OAuth Misuse

Security teams in charge of identity access management (IAM) and SaaS applications suggest a few best practices:

The lesson here is less about OAuth itself and more about understanding and approving software execution based on good security practices. When organizations clearly define which applications are trusted through effective allowlisting, they reduce the chances of unwanted software becoming part of the environment through routine workflows.

So Where Does Governance Matters Most?

While security teams often focus on detection tools and response workflows, attacks like this show how attackers are adapting. With a shift that allows bad actors to hide in “normal” operations, governance becomes even more important — not only in identity platforms, but anywhere new access, software, or scripts can be introduced.

As SaaS applications and third-party services are nearly ubiquitous in most organizations, security teams are faced with a need to secure environments while ensuring employee productivity and efficiency are not negatively impacted. That means helpful integrations can’t be wholly blocked, and the focus on what is allowed to run needs to be intentional and visible.

When admins and users understand what has been approved, why it was approved, and how it is reviewed over time, it becomes easier to reduce risk without creating unnecessary friction.

Final Thoughts

Malicious OAuth applications targeting Microsoft Entra ID are a reminder that attackers do not always need to bypass security controls — sometimes they succeed by working within them. Whether managing cloud integrations or software running on endpoints, organizations benefit from clear governance over what is allowed and how trust decisions are maintained over time.

Of note: Airlock Digital v6.1.1 included integration with Microsoft Entra cloud allowing organizations to drive user-based allowlisting decisions and exception management within the Airlock Digital UI.