VERY IMPORTANT

This analysis reveals the growing threat of malicious OAuth applications in Microsoft Entra ID, which attackers use for persistence and privilege escalation. The report details how these apps blend in with legitimate integrations, making detection challenging. It describes the creation of OAuth Apps Scout, an automated detection pipeline that identifies emerging malicious OAuth apps. The research uncovered multiple campaigns, including one involving 19 apps impersonating well-known brands. The report compares tactics from 2019 to 2025, showing an evolution in attacker strategies from Microsoft impersonation to third-party SaaS spoofing. It concludes with actionable defense strategies for organizations to protect against these threats.