Do Apps Have Imposter Syndrome? Unmasking Token Theft Campaigns

What began as a simple search for an OAuth application named “0365” quickly uncovered a broader threat: three distinct malicious OAuth application campaigns abusing the relationship between Azure applications and service principals. Using a pivoting methodology and detection model, we expanded beyond known indicators to map the full scope of these campaigns, identifying activity across more than 20 organizations. The talk opens by outlining the OAuth application attack surface in Azure AD (Entra ID), explaining how attackers abuse consent flows, permissions, and application registrations, and why traditional security controls often fail to detect this activity. We then introduce our “Next Campaign Finder,” a structured detection approach built on four components: establishing baselines of legitimate OAuth applications, identifying recurring malicious traits, correlating metadata such as ownership, naming conventions, and reply URLs across tenants, and applying a weighted scoring model to prioritize high-risk applications. Using this model, we reveal a malicious OAuth campaign impersonating trusted services such as Adobe and DocuSign, highlighting its defining characteristics. We then compare this activity with an earlier OAuth campaign discovered by the model dating back to 2019 and examine how attackers’ tradecraft has evolved over time. A key focus of the talk is practical pivoting. We demonstrate how defenders can expand from a single known malicious app to a broader set of indicators. All techniques are presented in a way that allows any attendee to implement them directly in their own environment using standard identity and audit logs, without relying on vendor-exclusive telemetry. We conclude with actionable defensive guidance, including detection strategies and mitigations enterprise defenders can apply today, lessons learned from the research process, and our perspective on how OAuth-based attacks are likely to evolve.

OAuth-based attacks have become a primary vector for adversaries to bypass MFA and gain persistent access to cloud environments. While many organizations treat suspicious applications as isolated incidents, these threats are often part of large-scale campaigns spanning dozens of tenants.

This session introduces the Next Campaign Finder, a structured methodology for identifying malicious OAuth clusters by correlating app metadata, ownership, and naming conventions. We will demonstrate how we used this model to uncover activity across 20+ organizations, identifying evolving tradecraft that impersonates trusted services like Adobe and DocuSign.

Attendees will learn how to pivot from a single suspicious indicator to a comprehensive campaign map using standard identity and audit logs. We conclude with actionable detection strategies and mitigations that defenders can implement immediately to secure their Entra ID environments against sophisticated application-layer threats.