OAuth Flaws Enable Full Microsoft 365 Breaches

Two medium-severity vulnerabilities in Microsoft 365an unsecured email API endpoint and verbose error messages revealing OAuth tokenscombine to grant attackers full authenticated access. Security researchers highlight how phishing lures direct users to malicious flows, exploiting these issues for token theft and persistent entry into enterprise environments.

Attackers initiate with phishing to gain initial authenticated access. They target the unsecured email API endpoint, which lacks proper protections. Verbose error responses then leak valid OAuth tokens for Microsoft Graph APIs. These tokens provide direct access to mailboxes, files, and other services without further authentication.

• Phishing grants limited access to the email API.
• Error messages expose functional OAuth tokens.
• Tokens enable broad Microsoft 365 operations, bypassing MFA.

This chain mirrors broader OAuth abuse trends. Threat actors impersonate legitimate apps like SharePoint or DocuSign, using fake OAuth registrations to steal credentials via MFA phishing kits such as Tycoon.

Proofpoint tracked campaigns since early 2025 impersonating enterprises with rogue OAuth apps. These redirect to phishing sites, compromising nearly 3,000 accounts across 900+ Microsoft 365 tenants, with over 50% success. Microsoft observed actors creating high-privilege OAuth apps post-compromise for cryptocurrency mining, BEC persistence, and mass phishingsending over 927,000 malicious emails in one 2023 campaign.

Advanced techniques like ConsentFix abuse OAuth authorization code flows in Microsoft Entra ID. Attackers phish users into sharing URIs with codes, redeemable for bearer tokens within 10 minutes, evading MFA and credential theft. Device code phishing tricks users into entering codes at verification URLs, granting persistent access.

OAuth, a standard for delegated authorization, powers app integrations in Microsoft 365. Misuse stems from weak consent controls and implicit trust in first-party flows. Storm-1286 registered fake apps mimicking services, enabling spam and mining undetected for months.

Microsoft countered with June 2025 updates blocking legacy authentication and mandating admin consent for third-party apps, rolling out July-August 2025. The company disrupted malicious apps in past campaigns and patched unrelated issues like CVE-2026-21509 in Office.

Successful breaches lead to data exfiltration, lateral movement, and follow-on attacks. High-privilege targets amplify risks across Azure, SaaS apps, and Microsoft 365. Even standard users expose emails and files. Token pivoting, as in Midnight Blizzard, extends access via chained integrations.

Organizations face challenges detecting these, as attacks mimic legitimate flows. Visibility into identity, SaaS, and cloud activity is crucial beyond traditional prevention.

• Enforce least-privilege for app consents; require admin approval.
• Monitor OAuth app registrations and token usage anomalies.
• Disable legacy auth; enable phishing-resistant MFA like passkeys.
• Review inbox rules and error logs for token leaks.
• Use tools tracking device codes and authorization flows.

Adopting Microsoft's 2025 settings changes reduces risks significantly. Regular audits of API endpoints and error verbosity prevent chaining exploits. Enterprises must prioritize OAuth governance amid rising token-based threats.