Security researchers have identified multiple malicious OAuth applications abusing consent mechanisms within the Microsoft Entra ID platform, affecting more than 20 organizations across three coordinated campaigns.
The Wiz Security investigation began with a homoglyph attack in which a fraudulent app name used a zero instead of the letter “O” to impersonate a real service.
That discovery led to a review of OAuth abuse patterns, uncovering 19 malicious applications active in an early 2025 campaign. The apps spoofed well-known brands including Microsoft OneDrive, DocuSign e Adobe. The activity was independently reported by the Proofpoint research team.
For context, OAuth is designed to manage third-party applications’ access to user data while keeping passwords secret. In Microsoft Entra ID, when a user clicks “Accept” on a consent prompt, a service principal is created in the organization’s tenant, making it possible for the application to access approved resources.
Wiz explained how attackers are increasingly exploiting this trust model. By registering apps that resemble legitimate SaaS integrations and luring users via phishing techniques, threat actors convince victims to grant consent. The result is an access token delivered directly to attacker-controlled infrastructure.
Persistence Without Credentials
Unlike stolen passwords, OAuth-based access can persist after credential resets or multi-factor authentication (MFA) enforcement. Once consent is granted, the malicious service principal remains active until administrators explicitly revoke the OAuth grant or remove the application.
Wiz observed that the rogue apps frequently requested high-risk permissions like Mail.Read or Files.ReadWrite.All. This enabled attackers to read email or exfiltrate documents without triggering conventional sign-in alerts.
To find abuse at scale, the research team built a detection pipeline that baselines commonly used applications and evaluates new OAuth apps against multiple risk indicators. Among these are publisher verification status, redirect Uniform Resource Identifier (URI) analysis, naming similarities to trusted brands, unusual tenant ownership, and low prevalence in different environments.
The team also uncovered seven malicious OAuth applications dating back to 2019 that used Cyrillic homoglyphs to mimic Microsoft services, impacting more than 50 organizations.
Wiz said the findings highlight a growing identity-layer blind spot. For security leaders, strengthening governance around user consent, auditing OAuth grants, and monitoring newly observed third-party apps should be core components of any cloud defense strategy.
