Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

nOAuth abuse and cross-tenant account takeover: what teams miss


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Nine of 104 tested applications were found vulnerable to nOAuth abuse, a low-complexity cross-tenant attack that can enable account takeover, data exfiltration, persistence, and lateral movement in Entra-connected SaaS, according to Semperis. The governance failure is deeper than a misconfigured claim: applications that trust mutable email attributes as identity have already lost the stability assumption IAM depends on.

NHIMG editorial — based on content published by Semperis: nOAuth abuse research and disclosure findings

Questions worth separating out

Q: How should security teams prevent cross-tenant account takeover in SaaS apps?

A: Security teams should require stable identity binding, usually issuer plus subject, and forbid account linking based on mutable attributes such as email.

Q: Why do email claims create identity risk in federated SaaS environments?

A: Email claims are risky because they are useful for contact and lookup but are not stable proof of identity.

Q: What do teams get wrong about account merging in multi-IdP applications?

A: Teams often assume that a matching email means the same person, when it only means the same address value.

Practitioner guidance

  • Replace email-based account keys Require application teams to bind users with immutable issuer and subject claims, and block account creation paths that key on mutable email attributes.
  • Test SaaS account-merge logic Validate whether each Entra-connected application performs ownership proof before merging identities from different sources or tenants.
  • Review app registrations for unverified claims Check whether any app registration still accepts unverified email claims and document whether the application consumes them for identity decisions.

What's in the full article

Semperis's full research covers the operational detail this post intentionally leaves for the source:

  • The step-by-step nOAuth abuse workflow across Entra tenant setup, app registration, and token handling.
  • The testing approach Semperis used against 104 applications in the Entra App Gallery.
  • Developer-level mitigation guidance for moving from email claims to immutable OIDC identifiers.
  • The disclosure timeline with MSRC and the vendor response context behind the research.

👉 Read Semperis's analysis of nOAuth abuse in Entra-connected SaaS →

nOAuth abuse and cross-tenant account takeover: what teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Mutable identity claims create an account-binding failure, not just an authentication bug. nOAuth abuse works because some SaaS applications still treat email as if it were a durable identity anchor. That assumption was designed for user convenience and contactability, not for security-grade account binding. The implication is that federation governance has to separate stable identity from mutable attributes before account linking logic is trusted.

A few things that frame the scale:

  • Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging (37%) and over-privileged accounts (37%), according to The State of Non-Human Identity Security.
  • A separate finding shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is exactly the visibility gap that makes cross-tenant trust abuse hard to spot, according to The State of Non-Human Identity Security.

A question worth separating out:

Q: Who is accountable when a SaaS app accepts the wrong federated identity?

A: The vendor owns the application design, but the customer remains accountable for procurement, configuration review, and ongoing assurance. If a SaaS app cannot prove it uses immutable identity claims correctly, the customer should treat it as a governance issue and not rely on tenant-side detection alone.

👉 Read our full editorial: nOAuth abuse exposes a cross-tenant account takeover gap



   
ReplyQuote
Share: