Cybercriminals are increasingly abusing internal OAuth-based applications to gain long-term access to enterprise cloud environments, according to new research from Proofpoint. These malicious applications can remain undetected for extended periods, allowing attackers to retain access to high-privileged accounts even after password resets or multi-factor authentication (MFA) enforcement. Because OAuth tokens authorize access without requiring credentials, they offer a covert way for attackers to persist inside compromised systems.

OAuth, the authorization protocol that enables apps to connect to accounts like Microsoft 365 without using a password, has become a favored attack vector. Threat actors trick users into granting permissions to rogue apps or compromise admin accounts to create internal applications that appear legitimate. These “second-party” apps, registered directly within an organization’s tenant, are inherently trusted and therefore harder to spot. Proofpoint’s researchers demonstrated how an attacker could automate the creation of such malicious apps, using compromised accounts as owners to make them appear authentic within the organization’s environment.

Once active, these fraudulent OAuth applications can independently access sensitive resources—such as emails, SharePoint documents, Teams messages, and OneDrive files—long after password changes. Proofpoint warns that detection can be difficult, as malicious apps often blend in with legitimate ones. The company advises organizations to train users to recognize suspicious consent requests, regularly review authorized applications, and revoke tokens associated with any suspect apps. Continuous monitoring and automated remediation, the researchers conclude, are critical to preventing attackers from maintaining persistent, invisible footholds in enterprise cloud systems.