Semperis warns nOAuth flaw in Entra ID risks SaaS accounts
According to the research, nOAuth remains undetected by many SaaS vendors and is very difficult for enterprise customers to defend against.
The vulnerability, originally disclosed in 2023 by Omer Cohen of Descope, arises due to a flaw in how certain SaaS applications implement OpenID Connect, particularly when unverified email claims can be used as user identifiers in Entra ID app configurations. This practice contrasts with recommended OpenID Connect standards.
Semperis' follow-up investigation examined applications listed in Microsoft's Entra Application Gallery, finding that over a year after its initial disclosure, a substantial portion of applications remain vulnerable to nOAuth abuse.
Risk to enterprises
The core issue with nOAuth is that attackers require only their own Entra tenant and the email address of a target user to potentially gain full access to that person's account in a vulnerable SaaS application.
Traditional defences, including Multi-Factor Authentication (MFA), conditional access, and Zero Trust policies, do not mitigate this risk.
This presents a challenge for both developers and end-users. As Eric Woodruff, Chief Identity Architect at Semperis, explained, "It's easy for well-meaning developers to follow insecure patterns without realising it and in many cases, they don't even know what to look for. Meanwhile, customers are left with no way to detect or stop the attack, making this an especially dangerous and persistent threat."
Through comprehensive testing of more than 100 Entra-integrated SaaS applications, Semperis identified that nearly 10% were susceptible to nOAuth exploitation. Once access is obtained via this vulnerability, attackers may exfiltrate data, maintain persistence, and potentially move laterally within the victim organisation's environment.
Detection and mitigation challenges
Detection of nOAuth abuse is exceptionally difficult, as successful attacks leave minimal traces within standard user activity logs.
Deep correlation across both Entra ID and individual SaaS platform logs is required to identify potential breaches. Semperis' research indicates that exploitation continues to be possible, despite the initial public disclosure and vendor recommendations.
Highlighting the severity of the nOAuth issue, Woodruff added, "nOAuth abuse is a serious threat that many organisations may be exposed to. It's low effort, leaves almost no trace and bypasses end-user protections. We've confirmed exploitation is still possible in many SaaS apps, which makes this an urgent call to action. We encourage developers to implement the necessary fixes and help protect their customers before this flaw is exploited further."
Semperis has communicated its findings to both affected SaaS vendors and Microsoft, beginning in December 2024. Some vendors have taken steps to address the issue, while others reportedly remain vulnerable.
Industry response and recommendations
The Microsoft Security Response Centre (MSRC) advises SaaS application vendors to implement its security recommendations regarding user identification and OpenID Connect integration. Firms failing to comply may risk removal from the Entra Application Gallery.
Semperis continues to focus on identity threat detection, with recent announcements regarding new detection features addressing other critical vulnerabilities such as BadSuccessor and Silver SAML.
These findings exemplify ongoing risks within enterprise identity services, where configuration weaknesses in authentication protocols can present significant challenges for both software providers and their customers.
The nOAuth vulnerability underlines the importance of not only secure development practices but also continuous monitoring as enterprise reliance on SaaS and identity federation increases.
Semperis' report calls for prompt action from SaaS vendors to update their authentication implementations to address this persistent risk.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
12 hours ago
- Techday NZ
Quest Software unveils new executives & USD $350m investment
Quest Software has appointed a new executive team to support its expansion priorities in AI readiness, cybersecurity, and platform modernisation. Key executive hires The company has announced the appointments of Ashish Joshi as President and Chief Financial Officer, Maureen Perrelli as Chief Channel Officer, and John Bertero as Senior Vice President and Chief Revenue Officer. These leadership positions have been filled in response to increased demand for artificial intelligence, secure identity management, and updated data platforms in the enterprise sector. Ashish Joshi will oversee Finance, Legal, and Compliance. Joshi previously served as Chief Operating Officer and Chief Financial Officer at Redwood Software and has a background in scaling software-as-a-service enterprises. Maureen Perrelli brings experience from her prior roles at Oracle, GE, Secureworks, NCR, and Brivo, and will now lead Quest Software's global channel strategy. She is responsible for developing the company's partner ecosystem to address the requirements of businesses seeking AI enablement. John Bertero, who has a track record of managing high-performing sales teams, assumes responsibility for all global sales operations with a focus on customer-centric solutions. Investment and strategy These appointments follow a capital investment of USD $350 million intended to accelerate product development around embedded AI capabilities and readiness technologies. This investment supports Quest Software's plans to help enterprises unlock greater value from AI while strengthening its partner network, which focuses on strategic alliances across data, identity, and Microsoft environments, including Active Directory and Entra ID. Tim Page, Chief Executive Officer of Quest Software, commented on the expanded leadership group, stating: "I couldn't be more excited to work with such a high-powered executive team. This team is a competitive advantage and positions Quest to deliver what customers expect - faster decisions, clearer priorities, and market-leading solutions that work out of the box. That means stronger accountability, smarter execution, and a tighter connection between what we build and what our customers need." According to the company, the shifting landscape in enterprise technology is increasing the importance of scalable platform modernisation and trusted providers who can partner with organisations to govern data, secure access, and expand operational capabilities as AI adoption rises. Company direction With the reported uplift in demand for secure and modernised IT infrastructure, Quest Software has indicated that its focus remains on operational excellence, customer value, and readiness to help businesses transition to AI-enabled environments. Tim Page further stated: "This is about execution, accountability, and delivering at scale. With the right team in place and a differentiated platform, we're ready to lead our customers into the future - faster, more securely, and with confidence." Quest Software currently serves more than 45,000 companies worldwide, including over 90% of the Fortune 500, providing solutions related to data management, governance, cybersecurity, and platform modernisation.
Techday NZ
16 hours ago
- Techday NZ
Semperis launches tool to secure AD service accounts
Semperis has introduced a new edition of its Directory Services Protector (DSP), known as Service Account Protection Essential, aimed at improving the security management of Active Directory and Entra ID service accounts. Service accounts, which are non-human identities used by applications to interact with directory services, frequently pose security challenges due to unmanaged proliferation and a tendency to accrue excessive privileges over time. These characteristics make them susceptible to exploitation by cyber attackers. Service Account Protection Essential is designed to provide organisations with an inventory of these accounts and facilitate ongoing monitoring for vulnerabilities based on intelligence from the Semperis research team. The tool can also discover previously unknown or misplaced service accounts, as well as detect stale and misconfigured ones. In addition, it identifies risky configurations, highlights critical exposures, and issues real-time alerts in response to malicious or anomalous activity. Security concerns "Service accounts are pernicious and nearly ungovernable by nature, so organisations struggle to adequately address them in security planning. Think about how many applications are onboarded and retired over the course of an Active Directory's lifespan. Each one of these applications may have several service accounts that connect them to AD. Those service account permissions are a black box, with passwords that are static or stale, but no one dares delete them. They're an obvious target for attackers because of their ungovernable state," said Ran Harel, Semperis AVP of Security Products. The focus on service accounts comes in the wake of high-profile supply chain attacks. Alex Weinert, Semperis Chief Product Officer, drew attention to previous incidents involving compromised service accounts to illustrate their ongoing risk to organisations. "Service accounts are very attractive to attackers. These accounts tend to proliferate in legacy AD applications and acquire excessive privileges over time, making them an obvious target for malicious actors, especially when service accounts are included in privileged cloud roles or groups tied to Microsoft 365. Service Account Protection Essential gives organisations unprecedented visibility into their service account security posture by helping them identify service accounts, create an inventory, and continuously monitor them to reduce the overall attack surface of the hybrid AD environment," said Weinert, former Microsoft VP of Identity Security. Features and dashboard improvements The updated DSP platform offers new capabilities designed to streamline work for security teams managing Active Directory and Entra ID object lists. Security practitioners can now categorise AD and Entra ID objects - including both privileged and service accounts - directly within the tool. This categorisation supports administrative tasks, enables swift policy changes, and helps automate responses to malicious modifications by reverting unauthorised changes as soon as they are detected. The DSP dashboard itself has been enhanced to provide a detailed summary of recent changes within Active Directory, comprehensive records of attack detection events, overall system health indicators, and a risk scoring mechanism. This information is intended to facilitate quick responses to identity threats and help organisations convey the status of their identity security posture internally. With the launch of Service Account Protection Essential, Semperis expands its capabilities for protecting hybrid and multi-cloud identity environments, which now include Active Directory, Entra ID, and other platforms. The new edition is positioned as a way for businesses to address pressing risks associated with unmanaged service accounts and reduce their exposure to identity-based attacks. Follow us on: Share on:
Techday NZ
2 days ago
- Techday NZ
AppOmni enhances SaaS platform with new AI security features
AppOmni has unveiled new SaaS and AI security capabilities to address the growing wave of artificial intelligence and SaaS-related risks faced by organisations. The company's latest platform updates include features to help security teams understand their exposure to AI threats and implement controls, with a focus on identifying both sanctioned and unsanctioned, otherwise known as shadow, AI applications - including those embedded in popular SaaS platforms. Complex attack surfaces The increasing adoption of AI in the enterprise landscape has created a more complex attack surface for security professionals. AI tools are now deeply integrated within SaaS environments, either as embedded features in platforms such as M365 or Google Workspace, or operating as independent agents. These tools handle and process sensitive data throughout the SaaS estate, making them both a potential facilitator and target for cyber attacks. According to AppOmni, the convergence of native AI applications and SaaS offerings means AI is quickly becoming a ubiquitous layer within software solutions used by businesses. This transformation highlights the need for organisations to gain visibility into their SaaS and AI landscape, particularly to identify unsanctioned or shadow tool usage, as well as to develop practical strategies for controlling and monitoring these technologies. Expanded application support AppOmni's platform now supports an additional 30 AI and SaaS applications, including widely adopted tools such as ChatGPT Enterprise, Claude, OpenAI, Anthropic, Cisco Umbrella, Cisco Secure Access, and Gong. The company also introduced three new product packages meant to provide a structured path for enterprises at varying stages of their SaaS security maturity journey. Each package includes a free SaaS and AI Attack Surface Assessment and a 90-day trial for the AppOmni Foundations package. Targeted solutions The three packages - Foundations, Advanced, and Enterprise - are each tailored to different organisational needs. The Foundations package serves as an entry-level option designed for companies looking to begin their SaaS security journey. It offers tools to discover shadow SaaS and AI, manage app users and permissions, and detect threats or anomalous activity. AppOmni states that its latest State of SaaS Security 2025 Report found 30% of businesses sought advanced SaaS security capabilities to mitigate risk. The Advanced package builds on this with more comprehensive threat detection and posture management. The Enterprise package, aimed at organisations with the highest security maturity, enables granular control over SaaS security settings and integration with existing security operations. Industry perspectives "Securing AI is now a board-level priority, and that battle must be fought within the SaaS ecosystem," said Brian Soby, Co-founder and CTO of AppOmni. "AI and SaaS security are two sides of the same coin since much of AI is delivered through SaaS. The first step for any organisation is to discover its shadow AI and SaaS usage. AppOmni is leading the charge by first exposing shadow AI, and then securing its use through policy controls for both standalone AI tools and AI embedded within SaaS applications. These innovations empower organisations to embrace AI by taking a comprehensive approach to SaaS security." Mark Butler, CISO (Advisory) at Trace3, offered his perspective on the significance of this integrated approach, stating, "AppOmni's new level of integrated capabilities delivers faster desired outcomes for both organisations and channel partners alike. The ability to discover, analyse, monitor, and secure the expanding landscape of SaaS and AI applications is a game-changer. Strengthening organisations' ability to maintain full visibility, defend against SaaS and AI drift, and ensure the intended use of critical SaaS apps and AI backed software drives increased business revenue and protects data while moving at the velocity of innovation." Recent developments The announcement comes after AppOmni's introduction of AskOmni, an AI-powered SaaS security assistant, and the industry's first SaaS Security Model Context Protocol (MCP) Server. With these advancements, AppOmni aims to support organisations in securing their organisations' AI usage, from the initial discovery of AI applications through to continuous monitoring, risk reduction, and response to emerging threats.
