Defender Helps Discover and Remediate OAuth Attacks

• Defender for Cloud Apps can help identify but not outright prevent problematic OAuth behavior from connected applications.
• OAuth-based attacks are an increasing attack vector for both data exfiltration and lateral movement into organizations.
• A significant wave of OAuth-based attacks occurred against Salesforce and were disclosed during 2025.

OAuth-based applications are increasingly used to compromise organizations, whether the objective is lateral movement into the organization, data exfiltration, or the destruction of data or systems. (Lateral movement is the process of driving deeper into the organization in search of data and systems to compromise.) Defender for Cloud Apps connectors to popular commercial apps like Salesforce—which recently experienced such an attack—can help organizations begin investigating, discovering, and remediating these attacks, and establish new processes to minimize and ideally prevent similar attacks in the future. Defender for Cloud Apps cannot necessarily prevent these types of attacks, but if properly configured, it can help identify them and limit their scope. For the most comprehensive protection, customers should adopt a defense-in-depth approach by using Defender for Cloud Apps alongside other tools, including the remaining components that work together to power Microsoft Defender XDR.