Ask most people how an attacker gets into a corporate account and they will describe a stolen password. But there is a quieter path that never touches the password at all: the malicious connected app. A user clicks “Allow,” grants a third-party application access to their email, files, or calendar through OAuth, and hands over standing access that survives password changes and often flies under the radar of the usual defenses. It is one of the more underappreciated risks in a cloud-first environment.
How connected apps work
Modern platforms, Google Workspace, Microsoft 365, and countless SaaS tools, let third-party applications connect to your account through OAuth. When you use a “Sign in with…” button or grant an app permission to your calendar or inbox, you are authorizing that application to act with some slice of your access, without ever giving it your password.
This is genuinely useful; it powers the integrations people rely on daily. But it means access to an account is not governed by the password alone. It is also governed by whatever applications the user has connected, and by what those applications are permitted to do.
Where the risk comes from
Several properties make malicious or over-permissioned connected apps dangerous:
They bypass password defenses entirely. A connected app has its own access token. Changing the account password does not revoke it. Even multi-factor authentication, which protects the login, does nothing about an app that was already authorized. The usual account protections simply do not apply.
Permissions are often far broader than needed. Consent screens ask for scopes, “read your email,” “manage your files”, and users tend to click through without scrutinizing them. An app that needed to read one calendar may have been granted access to the entire mailbox. Attackers deliberately request broad scopes precisely because users approve them.
Access persists quietly. Once granted, a connected app keeps its access indefinitely unless someone explicitly revokes it. A malicious app can maintain a foothold for a long time, and because it is not a “login,” it often does not trip the monitoring tuned to watch for suspicious sign-ins.
The attack in practice
A common pattern is consent phishing. Instead of trying to steal a password, the attacker sends what looks like a legitimate request to connect an app, often impersonating a trusted service. The user, seeing a familiar-looking consent screen, clicks “Allow.” No credentials are stolen because none are needed; the user has just granted a hostile application ongoing access to their data.
From there the app can quietly read email, download files, or harvest contacts, and it keeps doing so until someone notices and revokes it. Because nothing about it looks like a break-in, that can take a long time.
Assessing the real impact
To understand the exposure, look past “an app has access” to what that access actually enables:
- What data can it reach? Read access to an executive’s inbox is a different order of risk than access to a limited calendar.
- Can it act, or only read? An app that can send mail or modify files can do active damage, not just observe.
- Whose account is it connected to? The same permissions are far more dangerous on a privileged or executive account.
- How long has it had access, and is anyone watching? Persistent, unmonitored access is where quiet, long-running compromise lives.
Limiting the damage
Connected-app risk is manageable with deliberate controls:
- Govern app consent. Restrict which third-party apps users can authorize on their own, and require review or approval for anything requesting sensitive scopes. This single control prevents most consent-phishing outcomes.
- Audit connected apps regularly. Review what is connected across your environment, what each can access, and revoke anything unrecognized, unused, or over-permissioned.
- Enforce least privilege on scopes. Where you control the integrations, grant the minimum access needed, not the maximum offered.
- Monitor for suspicious consent activity. Watch for unusual app authorizations, especially broad-scope grants, the way you watch for suspicious logins.
- Educate users about consent screens. People scrutinize password prompts but click through permission requests. Teach them that “Allow” can hand over as much as a password does.
The takeaway
Account security is not only about who knows the password. It is also about what applications have been invited in and what they are allowed to do. Malicious connected apps exploit a trust mechanism most organizations barely monitor, granting attackers persistent, password-independent access that standard defenses miss. Bring connected apps under the same scrutiny you apply to logins, and the path closes. If you want your cloud environment, including its OAuth and integration exposure, assessed properly, our cloud penetration testing covers exactly this ground, and you can scope an engagement that includes it.
Written by
Invadel Team
Senior penetration testers writing from real engagements — the same team that scopes, tests, and reports for our clients. About Invadel →