The Silent SaaS Threat: The 5 Questions

February 24, 2026

tl;dr

  • This post (Part 1) gives a quick risk read on Software-as-a-Service (SaaS) applications integrated with Microsoft Entra. Use the five questions below to identify where SaaS app governance is missing and where OAuth app exposure is most likely concentrated.
  • Part 2 provides the response playbook. We’ll cover the technicals on how to both prevent and respond to SaaS app abuse.
  • OAuth apps are now a primary attack path in Entra. Attackers increasingly bypass passwords and MFA by abusing trusted applications, delegated consent, and service principals.
  • SaaS app sprawl is the norm and it hides material risk. Many organizations have hundreds to thousands of apps, with unclear ownership, unknown business justification, and inconsistent governance.
  • Consent is the new credential. A single malicious or over-privileged consent can grant persistent access that survives password resets and MFA enforcement, especially when refresh tokens and app permissions are in play.

Want to experience this for real? Get hands-on experience investigating malicious OAuth apps in our interactive CloudLabs. Use code BLOG for 20% off
Let's Go

Introduction

In many Microsoft Entra environments, we’re seeing the same pattern repeat: SaaS sprawl is driving OAuth sprawl. Every time the business connects a SaaS product to Entra via SSO, OAuth consent, or an integration it typically creates and relies on an application object in Entra that carries permissions, tokens, and trust.

The result is an expanding inventory of OAuth applications that represent SaaS integrations, often without clear ownership or governance. Organizations frequently can’t confidently answer what these apps are, who created them, why they exist, or what access they hold.

This observation is not unique to Team Invictus. Palo Alto Networks Unit 42 reported that SaaS applications were relevant in over 170 (23%) of their IR cases in 2025, underscoring how often trusted apps now show up in real intrusions. 

To give you an idea of the scale: a recent SaaS exposure assessment by Invictus showed that an organization with approximately 20,000 users had nearly 1,200 registered applications in their tenant. In another Invictus engagement, an organization with just 400 users had over 200 applications. OAuth applications have quietly become one of the largest risks in Microsoft Entra environments. 

In this post, we frame the OAuth risk landscape and the consent epidemic, then provide a five-question checklist to pressure-test your SaaS exposure. In Part 2, we shift from awareness to action. Your organization can begin to technically assess SaaS applications during or after an incident, identify dangerous permissions, and investigate suspicious activity similar to the Salesloft Drift breach and the Midnight Blizzard (a.k.a. APT29) campaign.

This Isn’t Theoretical: OAuth Abuse in the Wild

For many, the idea of an OAuth attack feels like a theoretical threat. It is something that could happen but probably won't. The reality is far more sobering. In 2025, we witnessed one of the most significant shifts in the threat landscape as attackers moved from trying to steal passwords to hijacking the "trust" between platforms.

Case Study: The Salesloft Drift Breach

Tracked as UNC6395, this campaign impacted over 700 organizations, including tech giants like Google, Zscaler, and Palo Alto Networks. Attackers infiltrated the development infrastructure of the Drift AI chatbot, exfiltrating OAuth access and refresh tokens.

Those stolen tokens acted as golden keys into the heart of global enterprises, allowing attackers to:

  • Bypass Identity Perimeters: They bypassed MFA and traditional logins entirely. To the target's environment, the malicious activity looked like "Drift" doing its normal job.
  • Bulk Data Exfiltration: Attackers exported entire databases of accounts, contacts, and sales opportunities.
  • Internal Surveillance: In Google Workspace, they used tokens to read emails and scrape sensitive internal communications.
  • Credential Harvesting: They combed support tickets for API keys and VPN passwords mistakenly pasted into integrated tools.

Case Study: Midnight Blizzard (APT29)

This Russian state-sponsored group began with a password spray against a legacy test tenant. Once inside, they discovered an OAuth application configured with excessive permissions via the Microsoft Graph API.

Using the app's delegated permissions, the attackers achieved:

  • Executive Surveillance: Accessed mailboxes of senior leadership and legal teams without triggering additional authentication.
  • Intelligence Gathering: Exfiltrated emails containing sensitive discussions regarding ongoing investigations into the group itself.
  • Persistent Footholds: Maintained access through the app's service principal, which remained active and trusted across tenants.

The Lesson

The Salesloft Drift and Midnight Blizzard attacks demonstrate a definitive shift: your environment is only as secure as the third-party apps and OAuth permissions you grant. Threat actors are bypassing the front door by exploiting the trusted integrations you've already invited in.

The OAuth Landscape

OAuth applications are the glue of the modern cloud, enabling services like ServiceNow, ChatGPT, and Snowflake to function without sharing passwords.

  • The Benefit: Seamless data access through delegated or application-level permissions.
  • The Risk: Attackers do not need a password if they can trick a user or administrator into approving a malicious consent request. Once granted, access can persist even if the password is changed or MFA is enabled.

The risk is becoming even greater. Many SaaS apps now incorporate AI features (e.g., ChatGPT integrations for data analysis or automation), which often require even broader permissions to process vast datasets like emails, files, or user analytics. This expands the attack surface, as a compromised AI-enabled app has a lot of write permissions into the tenant.

The Consent Epidemic

If you’ve been managing Entra ID for more than a few years, you likely remember the wild west era. In the early days, Microsoft’s default posture was heavily weighted toward productivity over protection. By default, any user could consent to applications accessing their own data.

While that seems helpful for say, onboarding a new calendar app, it creates a massive invisible 'Consent Epidemic'. It works because the friction is gone:

Need a calendar app? Click Accept.
Testing out the latest AI tool? Click Accept.
Integrating a file-sharing service? Click Accept.
       
While Microsoft has since course-corrected introducing more security, the damage from that early productivity first era has already been done. The ease of acceptance back then led to an epidemic of over-privileged apps that still exist in tenants today. Most organizations are sitting on a shadow registry of permissions they don't even know they have. This legacy epidemic manifests in three core risks that remain active threats today:

RISK_ID: SHADOW_REGISTRY
The Shadow Registry

Key Concern: Forgotten apps retain indefinite access to data like calendars, mailboxes, or user files, often granted years ago without review.

In nearly every Entra assessment, we find dormant apps consented to by ex-employees, consultants, or short-term projects. These create hidden entry points: if the third-party provider gets breached, attackers inherit valid permissions to your data, no new consent needed.

Example A pdf exporter, unused for a long time, still holds Files.ReadWrite.All permissions. A compromise allows full access to all files the user can access. And who needs a PDF exporter anyways
RISK_ID: PERMISSION_TRAP
The Convenience Permission Trap

Key Concern: Apps request (and get) excessive scopes, granting full-tenant access to data far beyond needs e.g., Mail.Read.All instead of Mail.Read.Basic.

SaaS vendors push broad permissions for "seamless" setup, pressuring IT to approve under business demands. This amplifies breach impact, as one app can scrape organization-wide resources.

Example A productivity tool demands Directory.Read.All "to verify users," allowing a startup to access your entire employee database, groups and apps. If compromised, attackers export apps, groups, contacts, roles, and sensitive attributes without limits.
RISK_ID: OFFBOARDING_OVERSIGHT
The Offboarding Oversight

Key Concern: Canceled services leave active permissions persisting indefinitely, with access to prior data types (e.g., files or APIs) and no ongoing monitoring.

Organizations cancel subscriptions but forget to revoke Entra apps, maintaining trust links post-relationship. This turns ex-vendors into unmonitored risks.

Example After ditching a marketing tool, its app lingers with Files.ReadWrite access from 2023. A breach at the vendor lets attackers re-enter your tenant, downloading all files it has access to

Checklist: 5 Questions That Matter

SaaS security fails rarely happen because teams don’t care. They happen because ownership is unclear, controls are fragmented, and risk lives in the seams between vendors, admins, and business units. 

This checklist is built to close that gap. It frames the highest-impact SaaS risks as clear, board-ready questions that drive decisions: what’s acceptable and what must change; all before the next incident makes the decision for you.

5 Key Questions to Assess Microsoft Entra SaaS and OAuth Risk
Question Action Reasoning & Strategy
Who can grant consent to applications? Restrict User Consent. This is the single most impactful control; it prevents users from inadvertently acting as shadow admins for their own data.
What are the permissions for each application? Audit Scopes with Business Context. Overprivileged permissions are the primary risk pattern in Entra; apps should only see what they absolutely need.
Do you offboard unused applications, and are aware of shadow applications? Lifecycle Reviews and Exposure Assessments. Shadow SaaS or Zombie Apps with active OAuth tokens provide persistent, unmonitored backdoors into your environment long after a contract ends.
Can you detect risky consent activity? Enable App Alerts. Modern consent phishing bypasses MFA and EDR; you need specific detection for high-privilege grants and unverified publishers.
What is your SaaS applications Incident Response playbook? Create a SaaS IR Playbook. Standard "Ransomware" or "Data Exposure" playbooks fail in the cloud.

What’s Next?

In Part 2, we move from awareness to action: how to lock down applications and then assess Enterprise Applications during (or after) an incident. For example, pinpoint risky Graph permissions and privileged role assignments, and investigate suspicious service principal activity. If you haven’t reviewed your SaaS applications recently, there’s a strong chance you’ll uncover something unexpected.

Contact our team for a SaaS assessment and start reducing risk today!

About Invictus Incident Response

We are an incident response company and we ❤️ the cloud and specialize in supporting organizations in preparing and responding to a cyber attack. We help our clients stay undefeated!

🆘 Incident Response support reach out to cert@invictus-ir.com or go to https://www.invictus-ir.com/24-7

More news

28.1.2026

Incident Response in the Neocloud - Nebius (Part I)

Read more
19.1.2026

Dawnguard and Invictus Incident Response forge strategic partnership to redefine cloud security

Read more