Beyond Credentials: Weaponizing OAuth Applications For Persistent Cloud Access
Proofpoint, Tuesday, October 21st, 2025
Cloud account takeover (ATO) attacks have become a significant concern in recent years, with cybercriminals and state-sponsored actors increasingly adopting malicious OAuth applications as a means to gain persistent access within compromised environments.
Key takeaways
- OAuth applications can be used to gain persistent access within compromised environments.
- OAuth applications maintain their authorized access even if user credentials are reset, or multifactor authentication is enforced.
- Such attacks can be fully automated as shown in a PoC and a dedicated tool created by Proofpoint researchers.
- Threat actors are already actively exploiting those vulnerabilities.
These attacks allow malicious actors to hijack user accounts, conduct reconnaissance, exfiltrate data, and launch further malicious activities.
The security implications are particularly concerning. Once an attacker gains access to a cloud account they can create and authorize internal (second party) applications with custom-defined scopes and permissions. This capability enables persistent access to critical resources such as mailboxes and files, effectively circumventing traditional security measures like password changes.