New survey shows nearly one in ten Microsoft-linked SaaS apps can be hijacked

A fresh investigation by identity-security firm Semperis has reignited concern about a weakness first publicised in mid-2023 and nicknamed nOAuth. The company examined 104 cloud software products that let customers sign in with Microsoft Entra ID and discovered that nine of them—roughly nine per cent—remain open to a simple account-takeover trick. The research team warns that the gap, which lives in the way some developers implement OpenID Connect on top of OAuth, is so easy to abuse that an attacker needs little more than a throwaway tenant and a few minutes of setup to slip into a victim’s profile semperis.comthehackernews.com.

Why the flaw refuses to die

The core of nOAuth is a design shortcut: many apps treat an email address as the one-and-only piece of data that identifies a user. Entra ID, however, allows an account to list any email—even one that has never been verified—and will happily present that claim to third-party services. By changing the mail attribute inside their own tenant to match the target’s address, a criminal can stroll through the “Log in with Microsoft” door and land inside the victim’s workspace. Because the two tenants are separate, routine defences such as multi-factor prompts on the real account do not fire semperis.com.

Cross-tenant blind spot leaves few footprints

Semperis chief identity architect Eric Woodruff calls the exploit “low effort and almost invisible.” Once inside, an intruder can read stored data, download documents, or even move laterally into Microsoft 365 resources that the compromised SaaS app is authorised to reach. Audit logs often show nothing more suspicious than a successful Entra sign-in from an unexpected tenant, an event many security teams overlook. That combination of ease, stealth and impact prompted Microsoft to publish guidance back in 2023 urging developers to rely on the immutable sub (subject) plus iss (issuer) claims—never the email address—when mapping users. Apps that fail to follow the rule now risk being expelled from the Entra App Gallery thehackernews.com.

Responsibility lies with the builders, not the customers

Unlike network misconfigurations that admins can tighten, nOAuth is baked into the affected applications’ sign-in code. Customers have no switch to flip or policy to enable; they must wait for vendors to ship a fix. That puts pressure on SaaS providers to audit their identity flows, create an unchangeable internal user ID, and ignore every other claim when linking accounts. Semperis argues that many developers were never aware of the original disclosure, while others assumed their use of Entra’s built-in libraries kept them safe. The new data suggests otherwise, showing that even tools listed in Microsoft’s own catalogue can fall short of best practice semperis.com.

Parallel worries in the container world

The week’s security news is not limited to Entra ID. Researchers at Trend Micro published findings that mis-scoped privileges in Kubernetes clusters can let an attacker inside one container sniff network traffic or spoof API calls to harvest Amazon Web Services credentials. The report highlights weaknesses in Amazon EKS Pod Identity, noting that overly generous permissions and unencrypted HTTP sessions make it possible to grab plaintext secrets and escalate control. As with nOAuth, the remedy is strict least-privilege design from the start—locking down container capabilities, scoping IAM roles tightly and encrypting every hop techradar.com.

An old bug, a new urgency

Microsoft says it has not spotted active nOAuth exploitation in the wild, yet history shows that once proof-of-concept code appears, criminals move fast. Because the technique works across tenant lines and leaves little residue, defenders cannot assume that lack of evidence equals safety. Semperis recommends that security teams monitor sign-in events for unknown tenant IDs, press suppliers for a statement of compliance with Microsoft’s OpenID Connect guidance, and favour vendors that show clear proof of a proper fix.

The bottom line is stark: two years after its debut, nOAuth is still an open invitation for account hijackers, and only the developers behind vulnerable SaaS offerings can slam the door shut. Until they do, organisations should treat every third-party sign-in as a potential weak link in their cloud-security chain.