fwd:cloudsec 2026

What began as a simple search for an OAuth application named “0365” quickly uncovered a broader threat: three distinct malicious OAuth application campaigns abusing the relationship between Azure applications and service principals. Using a pivoting methodology and detection model, we expanded beyond known indicators to map the full scope of these campaigns, identifying activity across more than 20 organizations.
The talk opens by outlining the OAuth application attack surface in Azure AD (Entra ID), explaining how attackers abuse consent flows, permissions, and application registrations, and why traditional security controls often fail to detect this activity. We then introduce our “Next Campaign Finder,” a structured detection approach built on four components: establishing baselines of legitimate OAuth applications, identifying recurring malicious traits, correlating metadata such as ownership, naming conventions, and reply URLs across tenants, and applying a weighted scoring model to prioritize high-risk applications.
Using this model, we reveal a malicious OAuth campaign impersonating trusted services such as Adobe and DocuSign, highlighting its defining characteristics. We then compare this activity with an earlier OAuth campaign discovered by the model dating back to 2019 and examine how attackers' tradecraft has evolved over time.
A key focus of the talk is practical pivoting. We demonstrate how defenders can expand from a single known malicious app to a broader set of indicators. All techniques are presented in a way that allows any attendee to implement them directly in their own environment using standard identity and audit logs, without relying on vendor-exclusive telemetry.
We conclude with actionable defensive guidance, including detection strategies and mitigations enterprise defenders can apply today, lessons learned from the research process, and our perspective on how OAuth-based attacks are likely to evolve.