Password Reset Is Not Incident Response: Hunting OAuth Persistence in Microsoft 365
When a Microsoft 365 account is compromised, most organizations follow a familiar script: disable the account, reset the password, enforce MFA, and move on.
That playbook is incomplete.
Modern attackers do not rely solely on stolen credentials. They establish persistence using OAuth applications, delegated Graph permissions, refresh tokens, mailbox rules, and hidden forwarding mechanisms. In many cases, access survives password resets and MFA enforcement because the real foothold is not the password. It is delegated trust.
This session walks through a practical, technical approach to Microsoft 365 compromise cleanup with a focus on OAuth abuse and token persistence. Attendees will see: • How malicious OAuth apps maintain access after credential resets • What refresh tokens and offline_access actually enable • Where to look in Entra ID and audit logs for non-interactive persistence • How to revoke sessions and consent properly • How to reduce tenant-wide exposure through consent policies and governance
The session includes two demonstrations. First, we'll show off the mechanics of a token theft AitM attack, followed by a demo of gaining OAuth persistence using a controlled lab tenant, showing how an attacker can read mailbox data even after a password reset, and how defenders can fully remove that access. I don't trust live demos, so I will pre-record these and narrate as we walk through screen recordings of the attacks.
If your incident response process ends at password reset, you are likely leaving the door open.
