Research into Microsoft Graph API shows how an attacker can abuse trusted OAuth authorization and overprivileged applications in Microsoft 365. If an OAuth secret (client_secret) or a refresh token is compromised, the attacker can use the Client Credentials flow to access Graph API as an application — bypassing MFA and often operating outside typical user protections.

As a result, the attacker can gain access to email, OneDrive, SharePoint, and Teams, collect information about the Entra ID structure, and use it for persistence, data theft, and preparation for business email compromise (BEC) attacks.

📎 Article: https://infosecwriteups.com/microsoft-graph-api-attack-surface-oauth-flows-abused-endpoints-and-what-defenders-miss-9c303ea2aa02

💬 Discuss

Attacks on Microsoft Graph API