Skip to main content

Jul 16, 2026

The OAuth App Nobody Owns Anymore

Someone approved a third-party app's access two years ago and then left. The app still has everything it was granted

Every SaaS integration your org has ever approved is still approved. An admin clicked accept on a third-party app two years ago, granting it broad access to mail or files across the tenant. That admin changed teams or left. The consent didn't go anywhere. The app still holds every permission it was handed.

Offboarding revokes the person. It rarely revokes what the person authorized.

A Grant That Outlives Its Owner

OAuth consent creates a standing grant that lives independent of the human who approved it. The app gets its own identity in the directory and its own credentials, so its access survives password resets, MFA changes, and the departure of everyone who ever touched it. Nobody logs in, so there's no session to flag. If that app was over-permissioned or later compromised, it's a quiet, fully authorized path to data no sign-in monitoring will surface. This is the shape of the illicit-consent attacks nation-state groups have leaned on for years, because it sidesteps the entire authentication stack.

The Backdoor With a Legitimate Badge

These apps hide well because everything about them is legitimate. The consent was real, the scopes were approved, the token is valid. What's missing is an owner and a reason.

An app that hasn't been touched in months but still holds admin-consented access to sensitive data is just an unattended key with a valid token. The questions that decide whether it's dangerous aren't in the login logs: who approved it, is that person still here, does anything still depend on it, and does its access match anything it actually does.

Auditing people when they leave is table stakes. Auditing what they authorized is the part still waiting to catch up.

See the latest from Abnormal's product and engineering teams.

Protect Against Evolving Email Threats

See how behavioral AI detects attacks that legacy defenses miss.