The Backdoor That Survives a Password Reset: OAuth App Abuse in Microsoft 365
TL;DR
- A malicious OAuth app has its own credentials and permissions, so password resets and session expirations do not remove the attacker's access.
- Microsoft documented one attacker who created 17,000 multi-tenant OAuth apps and sent nearly 1 million phishing emails through compromised identities.
- Traitorware is a legitimate app used maliciously, like eM Client granting persistent mailbox access, and it will not look suspicious in an app list at first glance.
- Setting user consent to 'Do not allow' in the Entra admin center and routing app requests through admin approval closes the most common planting path.
- Hunt for apps with throwaway names, high-risk mail permissions, non-Microsoft publishers, and little or no interactive sign-in activity.
Reset the password, revoke the sessions, breathe out. Except the attacker is still reading the mailbox, because three weeks ago they registered an innocuous-looking app in the tenant and consented it into the environment. That is the appeal of OAuth application abuse: the app is its own identity, with its own credentials, and nothing you do to the user account touches it.
OAuth applications are everywhere in Microsoft 365 because they power real integrations and automation. Every time someone signs in to a third-party tool with Microsoft 365 credentials or wires up a workflow, an OAuth app is involved. This post breaks down what these apps are, how attackers use them for persistence and privilege escalation, what real attacks have looked like, and a runbook for locking down and hunting in your own tenants.
What is an OAuth application in Microsoft 365?
OAuth applications in Microsoft 365 are third-party or custom-built apps that use the OAuth 2.0 protocol to access Microsoft 365 data on behalf of a user or system account, without ever needing the user's password. They commonly integrate external services or automate tasks across workloads like Exchange Online, SharePoint, Teams, and Microsoft Graph.
They come in two permission models, and the difference matters for risk:
Delegated permissions (user context)
- The app acts on behalf of a signed-in user.
- It inherits the user's permissions.
- Example: a third-party calendar app that reads a user's Outlook calendar.
Application permissions (app context)
- The app runs without a signed-in user.
- It holds its own permissions, granted by an admin.
- Example: a backup service that reads all mailboxes in Exchange Online.
How does an account compromise become a permanent foothold?

Attackers increasingly use OAuth applications as a stealthy persistence method after the initial break-in. The chain usually runs:
Initial access. It starts with account compromise, often phishing, or more advanced techniques like adversary-in-the-middle attacks that capture session tokens even when MFA is enabled.
Persistence. To stay in, attackers might:
- Register a new device with Microsoft Authenticator
- Set up inbox rules to forward or delete emails
- Register a malicious OAuth app, which becomes its own identity, independent of the user
Once the app is registered and granted permissions, frequently via social engineering, it can:
- Send emails as the compromised user
- Download mailbox data
- Launch internal or external phishing campaigns
- Move laterally within the organization
Password resets and session expirations will not kick the attacker out, because the app carries its own credentials and permissions.
What has this cost real organizations?
Malicious OAuth apps are not theoretical, and the documented impacts are large:
- Cryptomining campaigns: attackers used compromised accounts to register apps that spun up VMs and racked up over $1.5 million in compute charges.
- Mass phishing: one attacker created 17,000 multi-tenant OAuth apps and sent nearly 1 million phishing emails through compromised identities. Reference: Threat actors misuse OAuth applications to automate financially driven attacks (opens in new tab) from the Microsoft Security Blog.

These apps often look legitimate, sometimes mimicking the OneNote icon or naming themselves after Microsoft services. Inspected closely, they are neither published by Microsoft nor do they require admin consent to obtain powerful permissions.

Traitorware or purpose-built: the two threat shapes
1. Traitorware: legitimate apps used in malicious ways. eM Client, for example, is a real webmail client, but attackers use it to gain persistent access to a victim's mailbox.

Real-world analysis and reference lists:
- Deep Dive: Forensic Analysis of eM Client (opens in new tab)
- Huntress rogue app list: RogueApps (opens in new tab)
2. Malicious custom apps: purpose-built apps that imitate legitimate ones or hide behind odd naming conventions, like ....., test app, or the username of the compromised account, to avoid suspicion.

The runbook: lock down consent, then go hunting
Restrict user consent to apps
- Go to Entra Admin Center > Applications > Enterprise Applications > Consent and Permissions.
- Set consent to Do not allow user consent.
- Route approval requests to admins or a support ticket system.
- Set an expiration on pending requests; 30 days is a solid default.

Stop users from registering applications
- Navigate to Entra Admin Center > Users > User Settings.
- Set Users can register applications to No.
This prevents users from unknowingly registering apps that could be used maliciously.

Hunt for the apps already inside
Work through the enterprise app list looking for:
- Apps with names like
test,test app,sharepoint-api, or arbitrary strings such asrrrror........ - Apps named after compromised users
- Apps with high-risk permissions: read/write to mail, calendar, contacts
- Unusual or non-Microsoft publishers
- Low or zero interactive sign-ins, with the caveat that some legitimate apps run via service principals
- Known traitorware from the RogueApps (opens in new tab) list
More indicators of compromise are documented in Proofpoint's research: MACT: Malicious Applications in Credible Cloud Tenants (opens in new tab).
Can any of this be automated?
Two options take the manual sweep off your plate:
The cazadora hunting script automates detection of suspicious apps using naming patterns and permission scopes: HuskyHacks/cazadora on GitHub (opens in new tab).

CloudCapsule playbooks automate discovery of traitorware, suspicious applications, and misconfigurations, and help MSPs assess and report these risks across every tenant they manage rather than one at a time.

Frequently asked questions
Does resetting a compromised user's password remove a malicious OAuth app?
No. Once an OAuth app is registered and granted permissions, it acts as its own identity with its own credentials. Removing the attacker requires finding and deleting the app or its service principal, not just resetting the user.
What is the difference between delegated and application permissions?
Delegated permissions act on behalf of a signed-in user and inherit that user's permissions, like a calendar app reading one user's Outlook calendar. Application permissions run without a signed-in user under the app's own admin-granted rights, like a backup service reading all mailboxes in Exchange Online.
Will blocking user consent break legitimate integrations?
It adds an approval step, not a wall. Route consent requests to admins or a support ticket queue, set an expiration on pending requests (30 days is a solid default), and approve legitimate apps deliberately instead of letting users grant permissions on instinct.
Find the apps that should not be in your tenants
CloudCapsule playbooks automate discovery of traitorware, suspicious applications, and consent misconfigurations across every tenant you manage, then turn the findings into reports clients understand.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


