Recent research reveals that despite being disclosed in June 2023, the nOAuth vulnerability continues to threaten thousands of SaaS applications. Semperis’s June 2025 findings indicate that over 15,000 enterprise SaaS apps remain exposed to this authentication flaw in Microsoft Entra ID, enabling attackers to hijack user accounts with minimal effort.
Key Findings from 2025 Research
At least 10% of SaaS apps integrated with Microsoft Entra ID are susceptible to nOAuth, extrapolated from tests showing 9% vulnerability in a sample of 104 Entra Gallery applications. The attack vector exploits misconfigured Entra ID apps that accept unverified email claims as user identifiers. Attackers only need a victim’s email address and their own Entra tenant to impersonate users and gain full account access.
Traditional defenses like MFA, conditional access, and Zero Trust policies are ineffective against this flaw.
Why the Threat Persists
Many developers remain unaware of secure OAuth implementation practices, using mutable email claims instead of immutable identifiers (e.g., OID or sub claim). Affected users cannot self-detect compromises, as attacks occur between SaaS apps and Entra ID outside their security perimeter.
Microsoft issued guidance (e.g., xms_edov claim for email verification), but cannot enforce fixes, leaving remediation to SaaS developers. SaaS Vendors must implement Microsoft’s recommendations, including rejecting unverified email claims and using immutable user identifiers.
Organizations require deep log correlation across Entra ID and SaaS platforms to detect abuse—currently the only viable detection method.
