MITRE ATT&CK Technique
Description
Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment. Adversaries may create a custom application, add a legitimate application into the environment, or even co-opt an existing integration to achieve malicious ends.(Citation: Push Security SaaS Persistence 2022)(Citation: SaaS Attacks GitHub Evil Twin Integrations) OAuth is an open standard that allows users to authorize applications to access their information on their behalf. In a SaaS environment such as Microsoft 365 or Google Workspace, users may integrate applications to improve their workflow and achieve tasks. Leveraging application integrations may allow adversaries to persist in an environment – for example, by granting consent to an application from a high-privileged adversary-controlled account in order to maintain access to its data, even in the event of losing access to the account.(Citation: Wiz Midnight Blizzard 2024)(Citation: Microsoft Malicious OAuth Applications 2022)(Citation: Huntress Persistence Microsoft 365 Compromise 2024) In some cases, integrations may remain valid even after the original consenting user account is disabled.(Citation: Push Security Slack Persistence 2023) Application integrations may also allow adversaries to bypass multi-factor authentication requirements through the use of [Application Access Token](https://attack.mitre.org/techniques/T1550/001)s. Finally, they may enable persistent [Automated Exfiltration](https://attack.mitre.org/techniques/T1020) over time.(Citation: Synes Cyber Corner Malicious Azure Application 2023) Creating or adding a new application may require the adversary to create a dedicated [Cloud Account](https://attack.mitre.org/techniques/T1136/003) for the application and assign it [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) – for example, in Microsoft 365 environments, an application can only access resources via an associated service principal.(Citation: Microsoft Entra ID Service Principals)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2025-03-20T22:21:59.326Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may achieve persistence by leveraging OAuth '
'application integrations in a software-as-a-service '
'environment. Adversaries may create a custom application, add '
'a legitimate application into the environment, or even co-opt '
'an existing integration to achieve malicious ends.(Citation: '
'Push Security SaaS Persistence 2022)(Citation: SaaS Attacks '
'GitHub Evil Twin Integrations)\n'
'\n'
'OAuth is an open standard that allows users to authorize '
'applications to access their information on their behalf. In '
'a SaaS environment such as Microsoft 365 or Google Workspace, '
'users may integrate applications to improve their workflow '
'and achieve tasks. \n'
'\n'
'Leveraging application integrations may allow adversaries to '
'persist in an environment – for example, by granting consent '
'to an application from a high-privileged adversary-controlled '
'account in order to maintain access to its data, even in the '
'event of losing access to the account.(Citation: Wiz Midnight '
'Blizzard 2024)(Citation: Microsoft Malicious OAuth '
'Applications 2022)(Citation: Huntress Persistence Microsoft '
'365 Compromise 2024) In some cases, integrations may remain '
'valid even after the original consenting user account is '
'disabled.(Citation: Push Security Slack Persistence 2023) '
'Application integrations may also allow adversaries to bypass '
'multi-factor authentication requirements through the use of '
'[Application Access '
'Token](https://attack.mitre.org/techniques/T1550/001)s. '
'Finally, they may enable persistent [Automated '
'Exfiltration](https://attack.mitre.org/techniques/T1020) over '
'time.(Citation: Synes Cyber Corner Malicious Azure '
'Application 2023)\n'
'\n'
'Creating or adding a new application may require the '
'adversary to create a dedicated [Cloud '
'Account](https://attack.mitre.org/techniques/T1136/003) for '
'the application and assign it [Additional Cloud '
'Roles](https://attack.mitre.org/techniques/T1098/003) – for '
'example, in Microsoft 365 environments, an application can '
'only access resources via an associated service '
'principal.(Citation: Microsoft Entra ID Service Principals) ',
'external_references': [{'external_id': 'T1671',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1671'},
{'description': 'Lior Sonntag. (2024, February 8). '
'Midnight Blizzard attack on '
'Microsoft corporate environment: a '
'detailed analysis, detections and '
'recommendations. Retrieved March 20, '
'2025.',
'source_name': 'Wiz Midnight Blizzard 2024',
'url': 'https://www.wiz.io/blog/midnight-blizzard-microsoft-breach-analysis-and-best-practices'},
{'description': 'Luke Jennings. (2022, November 29). '
'Maintaining persistent access in a '
'SaaS-first world. Retrieved March '
'20, 2025.',
'source_name': 'Push Security SaaS Persistence 2022',
'url': 'https://pushsecurity.com/blog/maintaining-persistent-access-in-a-saas-first-world/'},
{'description': 'Luke Jennings. (2023, October 24). '
"Slack Attack: A phisher's guide to "
'persistence and lateral movement. '
'Retrieved March 20, 2025.',
'source_name': 'Push Security Slack Persistence 2023',
'url': 'https://pushsecurity.com/blog/phishing-slack-persistence/'},
{'description': 'Microsoft Threat Intelligence. '
'(2022, September 22). Malicious '
'OAuth applications abuse cloud email '
'services to spread spam. Retrieved '
'March 20, 2025.',
'source_name': 'Microsoft Malicious OAuth '
'Applications 2022',
'url': 'https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-OAuth-applications-used-to-compromise-email-servers-and-spread-spam/'},
{'description': 'Microsoft. (2023, December 15). '
'Application and service principal '
'objects in Microsoft Entra ID. '
'Retrieved February 28, 2024.',
'source_name': 'Microsoft Entra ID Service '
'Principals',
'url': 'https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser'},
{'description': 'Push Security. (n.d.). Evil twin '
'integrations. Retrieved March 20, '
'2025.',
'source_name': 'SaaS Attacks GitHub Evil Twin '
'Integrations',
'url': 'https://github.com/pushsecurity/saas-attacks/blob/main/techniques/evil_twin_integrations/description.md'},
{'description': 'Sharon Martin. (2024, November 5). '
'Legitimate Apps as Traitorware for '
'Persistent Microsoft 365 Compromise. '
'Retrieved March 20, 2025.',
'source_name': 'Huntress Persistence Microsoft 365 '
'Compromise 2024',
'url': 'https://www.huntress.com/blog/legitimate-apps-as-traitorware-for-persistent-microsoft-365-compromise'},
{'description': 'syne0. (2023, July 10). Malicious '
'Azure Application PERFECTDATA '
'SOFTWARE and Microsoft 365 Business '
'Email Compromise. Retrieved March '
'20, 2025.',
'source_name': 'Synes Cyber Corner Malicious Azure '
'Application 2023',
'url': 'https://cybercorner.tech/malicious-azure-application-perfectdata-software-and-office365-business-email-compromise/'}],
'id': 'attack-pattern--c31aebd6-c9b5-420f-ba2a-5853bbf897fa',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-04-15T19:59:05.283Z',
'name': 'Cloud Application Integration',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Office Suite', 'SaaS'],
'x_mitre_version': '1.0'}