Cybersecurity threats just keep getting more creative, and the latest one is particularly frustrating because it turns the tools you trust against you.

Researchers at Proofpoint recently uncovered a new wave of attacks that exploit OAuth applications. If you are not familiar with that term, you have definitely used the technology. It is what powers those “Sign in with Google” or “Sign in with Microsoft” buttons you see everywhere. Hackers are now using legitimate OAuth apps to quietly gain long term access to business cloud environments, and the scary part is that changing your password or turning on multi-factor authentication will not kick them out.

That is a big deal for any business running cloud-based operations, which at this point is most of them.

How OAuth Attacks Work and Why They Are So Effective

OAuth is one of those technologies that makes life easier for everyone. Instead of creating a new username and password for every application, you can just authorize it through an account you already have, like Google or Microsoft. It is convenient, widely trusted, and used by millions of businesses every day.

The problem starts when a hacker tricks someone into authorizing a malicious app that looks like the real thing. Maybe it looks like a productivity tool or a calendar integration. The user clicks approve without thinking twice because the consent screen looks normal enough. Once that approval happens, the app receives its own access token with whatever permissions the user granted. That might include the ability to read emails, access files, or manage cloud data.

Here is where it gets dangerous. That token stays active even if the user changes their password afterward. It stays active even if they turn on MFA. The app already has its own set of keys to the kingdom, and none of the usual security steps will revoke them unless someone goes in and manually removes the app’s access.

This means attackers can maintain a quiet, persistent presence inside your cloud environment for weeks or even months without anyone noticing.

Why Multi-Factor Authentication Cannot Save You Here

MFA is one of the best security tools available, and every business should be using it. But in this specific scenario, it does not help the way you would expect.

The reason is simple. The attacker is not logging into your account. They do not need to. The compromised app is operating independently with the permissions your employee already granted. Since there is no login happening, MFA never gets triggered. The app just quietly goes about its business, accessing emails, pulling files, and moving through your connected services without setting off any of the usual alarms.

Think of it this way. You locked your front door and installed a security camera, but you also handed a key to someone you thought was a delivery driver. That person can come and go as they please, and your security system will never flag it because they have authorized access.

This is what makes OAuth consent phishing so dangerous for businesses running on platforms like Microsoft 365, Google Workspace, or Slack. Once an attacker gets that initial foothold through a compromised app, they can access sensitive files and emails, deploy new apps with custom permissions inside your environment, move laterally across connected services, and launch additional attacks from inside your own network.

Traditional defenses like password resets and MFA are not enough to close the door once an OAuth token has been issued. And because the access looks legitimate from the outside, these attacks can be extremely difficult to detect. Attackers love this approach because it is low effort on their end, high impact for the victim, and easy to scale across multiple targets.

How to Protect Your Business From OAuth Exploits

You cannot prevent every attack, but you can make your environment a much harder target.

Start by auditing the OAuth apps that have been granted access to your systems. Most businesses have no idea how many third-party apps are connected to their cloud environment, and a lot of them are apps that nobody uses anymore or that nobody remembers authorizing in the first place. Review that list regularly and revoke access for anything that looks suspicious or unnecessary.

Set up conditional access policies that restrict OAuth app usage to trusted applications and approved vendors. This limits what your employees can authorize and keeps random apps from slipping through the door.

Educate your team about what OAuth consent phishing looks like. Most people click through consent screens without reading them because they look routine. Train your employees to pause and think before approving any app that requests access to their accounts, especially if the request comes through an unexpected email or link.

Invest in security monitoring that specifically tracks OAuth token activity. You need a solution that can flag abnormal behavior, like an app suddenly accessing large volumes of files or an unfamiliar application appearing in your environment with elevated permissions.

Convenience Created A Vulnerability And You Need to Address It

OAuth has made our digital lives a lot more convenient. Being able to sign into apps without juggling dozens of passwords is genuinely useful. But that convenience opened up a new attack surface that most businesses are not paying enough attention to.

If your company relies on cloud applications for daily operations, and at this point, who does not, now is the time to take a hard look at how OAuth apps interact with your environment. The few minutes it takes to audit your connected apps and tighten your policies could save you from weeks of downtime and the kind of damage that comes with a full-scale breach.

Do not wait until an attacker is already inside, using your own tools against you.