Home
/
Blog
/
Product Spotlights
/
Securing OAuth for Microsoft Environments
PUBlished on
August 9, 2022
updated on
November 5, 2025

Securing OAuth for Microsoft Environments

TIM WENZLAU

This blog was co-authored by Obsidian Product Manager Tim Wenzlau and Staff Security Researcher Noah Corradin.

SaaS environments are a complex web of interconnectivity between SaaS platforms, third-party applications, and custom in-house integrations. This very benefit of SaaS can also act as a threat vector for attackers who are increasingly targeting integrations as entry points into an enterprise’s wider SaaS environment. An attacker who’s able to exploit integrations has the opportunity to establish persistence, make changes, and exfiltrate valuable data—oftentimes evading detection by traditional security measures.

In a previous blog, we defined OAuth applications, explored their benefits and risks, and broke down Obsidian’s approach to mitigating the growing threat of OAuth abuse. The topic has continued to gain visibility with its inclusion in recent high profile threat campaigns: GitHub, OiVaVoii, UNC3524, StellarParticle, and SUNBURST are just a few examples. These attacks take advantage of vulnerabilities across the SaaS supply chain and within internally developed applications.

To expand our threat detection capabilities and address the growing threat vector of OAuth abuse, our team has released several cutting-edge OAuth threat detections purpose built for protecting Microsoft environments. Specifically, these address internal application compromises, supply chain risks, and device code flow abuse. In this blog, we explore each of these unique threat vectors and explain Obsidian’s approach to mitigating these attacks.

Internal Application Compromise

Most organizations have several—if not hundreds—of internally developed applications connected into their corporate Microsoft environments. These applications can serve various purposes such as managing data or mail, provisioning users, and automating administrative functions.

Security teams often don’t examine these internal applications particularly closely, and depending on their Microsoft license, they may not even have granular logs of application activity available. Attackers are well aware of these vulnerabilities and look to exploit these applications to gain privileged access to the Microsoft environment.

The Russian hacker group known as Cozy Bear leveraged several techniques to compromise internally developed Microsoft integrations in their StellarParticle campaign which allowed them to establish persistence and carry out various attack objectives in target environments. In many cases, attackers remained undetected for months on end.

StellarPartical used a compromised Microsoft 365 administrator account to create a new integration with a generic name. Subsequently, they utilized this integration to add credentials to a second internal company-created integration which had the ability to read all mail on behalf of all users within the organization.

To mitigate these forms of internal application compromise, Obsidian continuously profiles the behavior of internally developed applications. When our models identify unusual and high-risk activities, security teams are immediately notified and able to take prompt remedial action.

Integration Supply Chain Risk

External third-party vendors are a necessary risk in today’s integrated SaaS ecosystems. Many organizations attempt to reduce this risk by conducting thorough vendor security reviews of the third party’s access into their environment.  But what happens if that vetted third party is compromised after your organization has conducted a review and approved them?

In the recent GitHub breach, it was not GitHub that was compromised, but rather the access of supply chain partners Heroku and Travis CI. In the SolarWinds breach, email security vendor Mimecast was breached, enabling attackers to leverage Mimecast’s access into customer’s Microsoft 365 mailboxes.

Obsidian’s approach to mitigating supply chain risk is similar to our internal application compromise detection. We start by identifying and inventorying all third-party integrations with high risk access into the Microsoft environment, building a profile of their typical behaviors and activity patterns. Our machine learning models continuously evaluate the way these integrations are behaving to identify sudden changes that likely indicate a compromise. With this prompt detection, security teams are able to take timely corrective actions to minimize an attacker’s persistence and their ability to exfiltrate sensitive data.

Device Code Flow Abuse

Microsoft supports authorization via a device code flow which allows users to sign into Microsoft environments from input-constrained devices such as a smart TV, IoT device, or printer. Many average consumers are already familiar with this form of authentication—it’s what you might see when logging into Netflix or any other streaming service with a smart TV remote.

In this authorization flow, there’s no actual validation that the user is logging in from an input constrained device. Though infrequent, there are valid use cases for implementing these authorization sequences for Microsoft SaaS environments.

Obsidian detects attackers abusing device code flow to impersonate existing integrations, including first-party Microsoft applications like those in the Microsoft 365 suite. These attacks often convince users to reauthenticate valid integrations while they unknowingly approve an attacker’s entry into the environment. They often follow five simple steps:

  1. Phishing: The attacker crafts a phishing email, potentially pretending to be Microsoft asking the user to reauthorize a valid integration (such as Microsoft Office). The phishing email would contain a device code generated by the attacker and the authorization URL where the user needs to input that code (login.microsoftonline.com/common/oauth2/deviceauth). This phishing email would likely evade phishing detection email filters because the URL is a valid URL owned by Microsoft and commonly used for legitimate device code authorizations.
  2. The user receives and enters the authorization code.
  3. The user selects their Microsoft account for the integration to connect to.
  4. The user is prompted with a confirmation dialogue and accepts.
  5. The attacker is granted access to the Microsoft environment with all the privileges of the application they impersonated.

In this example, where the impersonated application is Microsoft Office, the attacker is able to download the user’s entire collection of files, access their emails, and send emails on behalf of the user.

Frequently Asked Questions (FAQs)

What is OAuth abuse and why is it a significant threat to Microsoft environments?

OAuth abuse refers to attackers exploiting OAuth integrations—connections between SaaS platforms and third-party or internal applications—to gain unauthorized access to sensitive data and resources. In Microsoft environments, these integrations often have broad, privileged access, making them prime targets. Attackers can exploit vulnerabilities in these connections to establish persistence, make changes, and exfiltrate data, often escaping traditional security detection.

How can attackers compromise internally developed applications in Microsoft environments?

Attackers target internally developed applications because these often have extensive permissions and are less scrutinized by security teams. By compromising admin accounts or exploiting weak application security, attackers can create new integrations or manipulate existing ones to gain persistent and privileged access. This tactic was notably used in campaigns like StellarParticle to remain undetected for extended periods and access sensitive organizational data.

What is integration supply chain risk in SaaS environments and how does it affect Microsoft users?

Integration supply chain risk arises when trusted third-party vendors or their applications, which have access to your Microsoft environment, are themselves compromised. Even after careful vendor reviews, if a partner like Heroku or Mimecast is breached, attackers can leverage their trusted access to infiltrate connected Microsoft platforms. This risk necessitates continuous monitoring of third-party integration behaviors to detect sudden or unusual activities that may indicate compromise.

How do attackers abuse the Microsoft device code flow for unauthorized access?

Attackers abuse the device code flow by sending phishing emails containing legitimate Microsoft authorization URLs and attacker-generated device codes. Unsuspecting users follow the instructions, unwittingly granting attackers access to their accounts with the same privileges as the impersonated application. Because the URLs are legitimate and the process mimics genuine device sign-ins, these phishing attempts often bypass standard email security filters.

You May Also Like

Product Spotlights

Unlock SaaS Security Intelligence with Splunk and Obsidian
2
MIN
January 19, 2024

Product Spotlights

The Importance of Incident Response for SaaS
4
MIN
December 4, 2023

Product Spotlights

Feature Highlight: The Obsidian App Kit
2
MIN
November 30, 2023

Get Started

Start in minutes and secure your critical SaaS applications with continuous monitoring and data-driven insights.

get a demo