ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
BP-025 OAuth Token Privilege Escalation
Scope Expansion Abuse
What This Breach Pattern Is
OAuth Token Privilege Escalation occurs when attackers exploit incorrectly configured OAuth application permissions to escalate privileges beyond what the legitimate user or application should have access to. This sophisticated attack vector allows adversaries to gain administrative capabilities without triggering traditional authentication monitoring systems.
OAuth tokens can hold privileges far greater than the user's actual role — enabling API-based admin actions without any interactive login. Attackers leverage this to silently escalate privileges using Microsoft Graph and REST APIs, bypassing multifactor authentication and conditional access policies entirely.

Critical Risk
OAuth serves as a stealth privilege escalation path that bypasses MFA and login monitoring, making it extremely dangerous in enterprise environments.
Common Exploitation Scenarios
Excessive Scope Requests
OAuth applications request broad or high-risk scopes that exceed business requirements, creating opportunities for privilege abuse.
Unintentional Admin Consent
Administrators inadvertently grant tenant-wide consent to malicious or compromised OAuth applications.
Refresh Token Abuse
Long-lived refresh tokens enable silent privilege escalation without user interaction or additional authentication.
Self-Provisioning Apps
Applications exploit weak governance to provision additional privileges autonomously after initial deployment.
Enterprise apps frequently include privileged Microsoft Graph scopes by default, while consent phishing campaigns grant long-lived privileged access that persists undetected. Weak app registration policies further permit scope escalation, creating multiple attack surfaces for privilege abuse.
Attacker Objectives
1
Directory Access Expansion
Gain or increase access to sensitive directory resources including user profiles, group memberships, and organizational data.
2
Role Assignment Manipulation
Assign elevated roles to compromised identities or service principals to establish persistent administrative access.
3
Security Control Subversion
Modify or disable Conditional Access policies, MFA requirements, and identity governance controls to weaken defenses.
4
Data Exfiltration
Leverage escalated privileges to exfiltrate large volumes of sensitive organizational data via Microsoft Graph APIs.
5
Persistence Establishment
Create new OAuth applications or register rogue enterprise apps to maintain long-term access and override governance controls.
Critical Misconfigurations
MC-143 — No User Consent Restrictions
Users can approve high-risk OAuth scopes without administrative oversight, enabling attackers to leverage social engineering for privilege escalation.
MC-201 — Over-Permissioned App Roles
Applications request dangerous Microsoft Graph API scopes that exceed legitimate business requirements, creating excessive privilege exposure.
MC-204 — Lack of Privileged Access Governance
Absence of monitoring for OAuth scopes requested and granted allows privilege escalation to proceed undetected by security teams.
MC-147 — Weak App Registration Governance
Inadequate controls permit rogue OAuth applications to be created and deployed without detection or approval workflows.
Detection Signals & Monitoring
DL-031 — Suspicious OAuth Consent Grant
Detects abnormal consent events including unusual timing, user behavior patterns, or applications requesting consent outside normal business processes.
DL-032 — High-Risk OAuth Permissions Granted
Flags dangerous Microsoft Graph scopes that enable privilege escalation:
  • Directory.ReadWrite.All — Full directory modification
  • RoleManagement.ReadWrite.Directory — Role assignment control
  • Application.ReadWrite.All — App registration manipulation
  • offline_access — Long-lived refresh tokens
DL-024 — Unusual Graph API Access Patterns
Indicates privilege escalation through abnormal API call patterns, including bulk operations, unusual resource access, or off-hours activity.
DL-056 — SP Secret or Certificate Abuse
Attackers exploit service principal credentials to obtain elevated access tokens for privilege escalation without user interaction.
Identity Attack Chain Mapping
1
Stage 3
Credential Acquisition
Attackers obtain initial OAuth tokens through phishing, consent abuse, or application compromise.
2
Stage 4
Authentication Abuse
Leverage acquired tokens to authenticate to Microsoft Graph and Azure APIs without triggering MFA.
3
Stage 5
Privilege Escalation
Exploit excessive OAuth scopes to assign roles, modify policies, and expand access permissions.
4
Stage 8
Persistence via Identity
Create additional OAuth apps, service principals, and refresh tokens for long-term access.

Critical Insight: OAuth escalation bypasses authentication visibility entirely, operating beneath traditional security monitoring and evading detection by conventional SIEM rules focused on interactive login events.
Threat Actors & Executive Context
Known Threat Actors
APT29 (ICTAM-001)
Sophisticated nation-state actor employing stealthy OAuth escalation techniques for long-term espionage campaigns.
Lapsus$ (ICTAM-011)
Extortion-focused group leveraging OAuth tokens post-compromise for rapid privilege escalation and data theft.
Federation Cartel (ICTAM-022)
Advanced threat actor specializing in OAuth token forgery and federation manipulation techniques.
RaaS Affiliates (ICTAM-020)
Ransomware operators using automated OAuth escalation toolkits for efficient privilege abuse at scale.
Executive Storylines
ETS-004
OAuth Weakness → Identity-Level Compromise
Inadequate OAuth governance enables attackers to escalate from limited user access to tenant-wide administrative control.
ETS-006
Role Misconfiguration → Privilege Escalation Chain
Cumulative misconfigurations in role assignments and OAuth permissions create exploitable escalation paths.
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.