Uncovering Malicious OAuth Campaigns in Entra ID
Essential information
- Published
- 19/02/2026 11:04
- Modified
- 19/02/2026 13:12
- Tags
- 2026-02-19 application impersonation cloud security consent abuse entra id identity security oauth phishing
- Related entities
- 2 observables, 3 techniques (mitre), 36 others
Description
This analysis reveals the growing threat of malicious OAuth applications in Microsoft Entra ID, which attackers use for persistence and privilege escalation. The report details how these apps blend in with legitimate integrations, making detection challenging. It describes the creation of OAuth Apps Scout, an automated detection pipeline that identifies emerging malicious OAuth apps. The research uncovered multiple campaigns, including one involving 19 apps impersonating well-known brands. The report compares tactics from 2019 to 2025, showing an evolution in attacker strategies from Microsoft impersonation to third-party SaaS spoofing. It concludes with actionable defense strategies for organizations to protect against these threats.