“the gap is that most security programs weren ' t built to account for it at scale. cisos know it ' s a problem. most aren ' t solving it. new research from material security quantifies the gap between awareness and action. 80 % of security leaders consider unmanaged oauth grants …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
67%
“default way third - party apps and ai tools connect to the enterprise workspace. that ' s not changing. the number of grants in most environments will continue to grow as ai adoption accelerates. telling employees they can ' t use ai tools isn ' t a viable security posture for mo…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
67%
“the back door attackers know about — and most security teams still haven ’ t closed every ai tool, workflow automation, and productivity app your employees connected to google or microsoft this year left something behind : a persistent oauth token with no expiration date, no auto…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
65%
“a suspicious, unknown app. it was an attack through a trusted one. the lesson isn ' t that organizations should restrict oauth integrations — it ' s that trusting an app at the time of installation doesn ' t mean it stays trustworthy, and that oauth grants need active, continuous…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1528Steal Application Access Token
59%
“pressing issue is that oauth grants are an active attack vector. the drift incident makes that concrete. drift, a sales engagement platform acquired by salesloft, maintained oauth integrations with salesforce instances across hundreds of customer organizations. a threat actor tra…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
53%
“pressing issue is that oauth grants are an active attack vector. the drift incident makes that concrete. drift, a sales engagement platform acquired by salesloft, maintained oauth integrations with salesforce instances across hundreds of customer organizations. a threat actor tra…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
52%
“: - vendor trust and scope analysis — the standard baseline that most tools stop at - behavioral monitoring of actual api calls made by the app over time, surfacing anomalies against expected behavior - blast radius assessment based on the access levels and data exposure of the a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1528Steal Application Access Token
51%
“app is linked to, you ’ re still operating half - blind. a risky app tied to an intern ’ s account is one thing – the same app being used by a vip with access to countless sensitive emails, files, and systems is something else entirely. the drift attack didn ' t involve a suspici…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
51%
“app is linked to, you ’ re still operating half - blind. a risky app tied to an intern ’ s account is one thing – the same app being used by a vip with access to countless sensitive emails, files, and systems is something else entirely. the drift attack didn ' t involve a suspici…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1528Steal Application Access Token
49%
“a suspicious, unknown app. it was an attack through a trusted one. the lesson isn ' t that organizations should restrict oauth integrations — it ' s that trusting an app at the time of installation doesn ' t mean it stays trustworthy, and that oauth grants need active, continuous…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
49%
“documents and years of email history is categorically different from the same grant on a freshly provisioned account with limited exposure. the reach of the user ' s account determines the potential impact of a compromised or malicious oauth connection. risk scoring should reflec…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1528Steal Application Access Token
31%
“documents and years of email history is categorically different from the same grant on a freshly provisioned account with limited exposure. the reach of the user ' s account determines the potential impact of a compromised or malicious oauth connection. risk scoring should reflec…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Every AI tool, workflow automation, and productivity app your employees connected to Google or Microsoft this year left something behind: a persistent OAuth token with no expiration date, no automatic cleanup, and in most organizations, no one watching it. Your perimeter controls don't see it. Your MFA doesn't stop it. And when an attacker gets hold of one, they don't need a password.
OAuth