nOAuth continues to go undetected by SaaS vendors, who may not even know what to look for and it is nearly impossible for enterprise customers to defend against, allowing attackers to take over accounts and exfiltrate data.
Semperis, a provider of AI-powered identity security and cyber resilience, released new research into nOauth known vulnerability in Microsoft’s Entra ID that enables full account takeover in vulnerable SaaS apps with minimal attacker effort, posing a severe risk to enterprises relying on cross-tenant Entra integrations. Eric Woodruff, Semperis’ Chief Identity Architect, presented his findings this week at the Troopers 2025 in Heidelberg, Germany.
nOAuth was first disclosed in 2023 by Omer Cohen of Descope, highlighting a flaw in how some SaaS applications implement OpenID Connect. Semperis’ follow-up research focused on Entra-integrated applications in Microsoft’s Entra Application Gallery, identifying a wide range of applications still vulnerable to nOAuth abuse more than a year later.
Cyber Technology Insights : ReliaQuest GreyMatter Further Speeds Detection and Containment of Threats
Discovered through cross-tenant testing, nOAuth exploits Entra ID app configurations that permit unverified email claims as user identifiers, a known anti-pattern per OpenID Connect standards. In these scenarios, attackers need only an Entra tenant and the target’s email address to assume control of the victim’s SaaS account. Traditional safeguards like MFA, conditional access, and Zero Trust policies offer no protection.
“It’s easy for well-meaning developers to follow insecure patterns without realizing it and in many cases, they don’t even know what to look for,” said Woodruff. “Meanwhile, customers are left with no way to detect or stop the attack, making this an especially dangerous and persistent threat.”
Safeguarding Against the nOAuth Vulnerability
In a broad test of more than 100 Entra-integrated SaaS applications, Woodruff found nearly 10% were vulnerable to nOAuth abuse. Once the vulnerability is exploited, attackers can gain full access to a user’s account in the SaaS app, enabling data exfiltration, persistence, and potential lateral movement. The Microsoft Security Response Center (MSRC) advises SaaS vendors to follow its recommendations to prevent nOAuth abuse or risk expulsion from the Entra Application Gallery.
Cyber Technology Insights : CrowdStrike Named a Leader in the 2025 IDC MarketScape: Worldwide CNAPP
“nOAuth abuse is a serious threat that many organizations may be exposed to,” continued Woodruff. “It’s low effort, leaves almost no trace and bypasses end–user protections. We’ve confirmed exploitation is still possible in many SaaS apps, which makes this an urgent call to action. We encourage developers to implement the necessary fixes and help protect their customers before this flaw is exploited further.”
Semperis reported its findings to both affected vendors and Microsoft, beginning in December 2024. While some vendors have since remediated their applications, others remain vulnerable. Without deep log correlation across both Entra ID and the SaaS platform, detecting nOAuth abuse is nearly impossible.
Semperis researchers, pioneers in identity threat detection, recently announced new detection capabilities in the company’s Directory Services Protector platform to defend against BadSuccessor, a high-severity privilege escalation technique targeting a newly introduced feature in Windows Server 2025. Last year, Semperis researchers discovered Silver SAML, a new variant of the SolarWinds-era Golden SAML technique that bypasses standard defenses in Entra ID-integrated applications.
Cyber Technology Insights : BIO-key Joins ISMS Forum to Advance Cybersecurity and Identity Management
To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com
Source: prnewswire
