Full Report
Every AI tool, workflow automation, and productivity app your employees connected to Google or Microsoft this year left something behind: a persistent OAuth token with no expiration date, no automatic cleanup, and in most organizations, no one watching it. Your perimeter controls don't see it. Your MFA doesn't stop it. And when an attacker gets hold of one, they don't need a password. OAuth
Analysis Summary
# Tool/Technique: Persistent OAuth Token Theft / Abuse
## Overview
This technique involves the exploitation of OAuth (Open Authorization) tokens to maintain persistent, passwordless access to cloud environments (Google Workspace, Microsoft 365, Salesforce). Unlike traditional credentials, OAuth tokens often lack expiration dates, bypass Multi-Factor Authentication (MFA) after the initial grant, and remain valid even after user password resets. Attackers either trick users into granting permissions to malicious "Shadow AI" apps or steal existing tokens from legitimate third-party service providers.
## Technical Details
- **Type:** Technique / Attack Vector
- **Platform:** SaaS Environments (Google Workspace, Microsoft 365, Salesforce, AWS, Snowflake)
- **Capabilities:** Authentication bypass, persistence, data exfiltration, automated API interaction.
- **First Seen:** Widely recognized as a critical risk in 2024–2026; specifically highlighted in the 2026 Drift/Salesforce breach.
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- **T1136.003 - Create Account: Cloud Account** (Via malicious app integration)
- **T1098.003 - Account Manipulation: Tooling Deployment Registration**
- **TA0005 - Defense Evasion**
- **T1550.017 - Use Alternate Authentication Material: Web Session Cookie/OAuth Token**
- **TA0006 - Credential Access**
- **T1528 - Steal Application Access Token**
- **TA0010 - Exfiltration**
- **T1537 - Transfer Data to Cloud Account**
## Functionality
### Core Capabilities
- **MFA Bypass:** Once a token is issued, subsequent API calls using that token do not trigger MFA prompts.
- **Persistence:** Tokens frequently remain valid indefinitely until manually revoked, surviving password rotations and employee offboarding.
- **Scoped Access:** Allows attackers to read emails, access calendars, and export CRM data (Salesforce) via legitimate API calls.
### Advanced Features
- **Supply Chain Pivot:** Attackers compromise a trusted third-party vendor (e.g., Drift) to inherit the OAuth permissions that vendor's customers have already granted.
- **Credential Harvesting:** Systematic "combing" of cloud environments for secondary secrets like AWS access keys, Snowflake tokens, and plain-text passwords.
## Indicators of Compromise
- **File Hashes:** N/A (Technique is largely fileless/API-based).
- **Network Indicators:**
- Unusual API traffic originating from non-corporate IP ranges.
- Large-scale data exports via API to unknown third-party endpoints.
- **Behavioral Indicators:**
- Successful logins/API calls for accounts that have recently undergone password resets.
- Third-party applications requesting "Scopes" (permissions) that exceed their functional requirements (e.g., a "Calendar" app requesting "Mail.ReadWrite").
- Spikes in API calls from legitimate integrations (e.g., Salesforce, Slack) at unusual hours.
## Associated Threat Actors
- **UNC6395:** Specifically identified by Palo Alto Unit 42 for targeting OAuth refresh tokens in the Drift/Salesloft supply chain attack.
## Detection Methods
- **Behavioral Detection:** Monitoring for anomalous API call patterns (volume and frequency) from connected apps.
- **Identity Analytics:** Tracking "Impossible Travel" for API calls where the token is used from a geographic location inconsistent with the user's current session.
- **Inventory Audit:** Identifying "Zombie" tokens—active grants for users who are no longer with the organization or have changed roles.
## Mitigation Strategies
- **OAuth Governance:** Implement tools that provide centralized visibility into all third-party grants across SaaS platforms.
- **Continuous Monitoring:** Shift from "point-in-time" installation reviews to continuous behavioral monitoring of what an app does *after* it is authorized.
- **Least Privilege:** Enforce strict policies on which scopes can be granted by standard users (e.g., blocking "Global Admin" or "Read All Mail" scopes).
- **Automated Revocation:** Set policies to automatically revoke OAuth tokens for inactive users or apps that haven't been used in 30+ days.
## Related Tools/Techniques
- **Illicit Consent Grant Attacks:** Phishing to trick users into clicking "Accept" on a fake app.
- **Golden SAML:** A similar high-level identity bypass technique.
- **App Governance:** Security features within Microsoft Defender for Cloud Apps designed to mitigate these risks.