[{"data":1,"prerenderedAt":1071},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/investigating-user-delegated-oauth-tokens-in-google-workspace-a-ride-along":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":688,"faqItemsCollection":689,"faqTitle":62,"featured":6,"hashTags":691,"meta":697,"metaTitle":698,"ogImage":62,"publishedDate":699,"relatedBlogPostsCollection":700,"slug":1045,"stem":1046,"subtitle":62,"summary":1047,"synopsis":1058,"sys":1059,"tagsCollection":1062,"__hash__":1070},"blog/blog/investigating-user-delegated-oauth-tokens-in-google-workspace-a-ride-along.json","Investigating user delegated OAuth tokens in Google Workspace - a ride along",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Jacques Louw","Jacques","Co-founder / CRO",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/39m8bektV23lnCRcEq0G8h/2a08f6276a50744f1a4b499b273f6bb2/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-21.jpg",{"json":238,"links":628},{"data":239,"content":240,"nodeType":627},{},[241,250,258,265,274,281,288,295,330,337,344,364,370,377,384,403,409,416,435,441,478,506,512,527,554,560,567,574,580,606,613,620],{"data":242,"content":243,"nodeType":249},{},[244],{"data":245,"marks":246,"value":247,"nodeType":248},{},[],"What are user delegated OAuth tokens?","text","heading-2",{"data":251,"content":252,"nodeType":257},{},[253],{"data":254,"marks":255,"value":256,"nodeType":248},{},[],"When users want to integrate a 3rd party app (like Zoom, Slack, Zapier, etc. etc.) with Google Workspace (or Office 365, or almost any SaaS platform these days really), they provide that app with a token (an OAuth2 token to be specific). This token can be used by the 3rd party to connect to your Workspace to gain access to that user’s data instead of a password.","paragraph",{"data":259,"content":260,"nodeType":257},{},[261],{"data":262,"marks":263,"value":264,"nodeType":248},{},[],"You might recognise screens like this which actually do the job of granting these tokens.",{"data":266,"content":272,"nodeType":273},{"target":267},{"sys":268},{"id":269,"type":270,"linkType":271},"1jj3BNK8zO0Pm83LwzLUJp","Link","Entry",[],"embedded-entry-block",{"data":275,"content":276,"nodeType":257},{},[277],{"data":278,"marks":279,"value":280,"nodeType":248},{},[],"That list of permissions is a human readable version of what are called scopes. Scopes limit what the 3rd party can do with the token. There are a number of ways you can limit the 3rd parties and scopes your users can authorise, and we’ll cover those in future blog posts - for now we are focussing on the existing tokens that have already been granted.",{"data":282,"content":283,"nodeType":249},{},[284],{"data":285,"marks":286,"value":287,"nodeType":248},{},[],"Why would you want to review these apps and tokens?",{"data":289,"content":290,"nodeType":257},{},[291],{"data":292,"marks":293,"value":294,"nodeType":248},{},[],"Essentially there are quite a few things that can go wrong here, which is not unexpected when we are talking about granting 3rd parties access to a core business platform like Workspace - and perhaps in something like an ordering of obviousness they are things like:",{"data":296,"content":297,"nodeType":329},{},[298,309,319],{"data":299,"content":300,"nodeType":308},{},[301],{"data":302,"content":303,"nodeType":257},{},[304],{"data":305,"marks":306,"value":307,"nodeType":248},{},[],"Consent phishing - where an attacker uses a malicious app linked in an email to trick users into giving them access to the user's data.","list-item",{"data":310,"content":311,"nodeType":308},{},[312],{"data":313,"content":314,"nodeType":257},{},[315],{"data":316,"marks":317,"value":318,"nodeType":248},{},[],"Useful but malicious apps - as we’ve seen recently in browser extensions (especially chrome), mobile apps (especially android, pattern forming here?), PC software, etc. etc. there are a number of criminals who develop legitimately useful (or at least vaguely useful looking) software that is also used to get backdoor access to your data. This is even harder to spot in SaaS applications, because unlike browser extensions or mobile apps, you can’t inspect the code. And because Almost no SaaS apps expose good logs of what is done using these tokens, you can’t inspect what they are doing.",{"data":320,"content":321,"nodeType":308},{},[322],{"data":323,"content":324,"nodeType":257},{},[325],{"data":326,"marks":327,"value":328,"nodeType":248},{},[],"Supply chain - while supply chain attacks are all the rage these days, we’ve yet to see a really clear attack where an attacker has stolen specifically OAuth tokens from one of these 3rd parties and used them against their customers - at least to my knowledge (please tweet my wrongness @jacques_sec). This does not however mean this can’t or won’t happen - and in fact I’d be super surprised if this doesn’t happen in the next few years.","unordered-list",{"data":331,"content":332,"nodeType":257},{},[333],{"data":334,"marks":335,"value":336,"nodeType":248},{},[],"While there are a lot of things you might want to look at when reviewing an OAuth app, you will at least want to know who owns/publishes the app (who have you delegated access too), what permissions or access the 3rd party has to your data, and whether Google has reviewed and verified the app - so let’s use this blog to focus on that starting point.",{"data":338,"content":339,"nodeType":249},{},[340],{"data":341,"marks":342,"value":343,"nodeType":248},{},[],"Getting the basic token details",{"data":345,"content":346,"nodeType":257},{},[347,351,360],{"data":348,"marks":349,"value":350,"nodeType":248},{},[],"As a user you can look at ",{"data":352,"content":354,"nodeType":359},{"uri":353},"https://myaccount.google.com/permissions",[355],{"data":356,"marks":357,"value":358,"nodeType":248},{},[],"your own Workspace tokens","hyperlink",{"data":361,"marks":362,"value":363,"nodeType":248},{},[]," - where you’ll see a box like this for each integrated app:",{"data":365,"content":369,"nodeType":273},{"target":366},{"sys":367},{"id":368,"type":270,"linkType":271},"4uswW6ogq8Gqn6ithrAa5d",[],{"data":371,"content":372,"nodeType":257},{},[373],{"data":374,"marks":375,"value":376,"nodeType":248},{},[],"You’ll see things like the authorised domain (diagrams.net in this case), the homepage of the app, and a description of the permissions granted by the scopes (though not the raw scopes themselves). Unfortunately, fairly basic information, like if the app has been verified by google is not available.",{"data":378,"content":379,"nodeType":257},{},[380],{"data":381,"marks":382,"value":383,"nodeType":248},{},[],"This page is also only available to view your own apps. Rather than trying to teach each of your users how to review OAuth apps, you may want to review these on behalf of your users, and let them get on with their jobs leaving your relationship with them intact. Google anticipated this, and actually allows you to get a list of these apps (or rather the tokens that grant them access) through the admin console in a couple of ways.",{"data":385,"content":386,"nodeType":257},{},[387,391,399],{"data":388,"marks":389,"value":390,"nodeType":248},{},[],"If you ",{"data":392,"content":394,"nodeType":359},{"uri":393},"https://admin.google.com/ac/users",[395],{"data":396,"marks":397,"value":398,"nodeType":248},{},[],"open a user’s profile in the admin console",{"data":400,"marks":401,"value":402,"nodeType":248},{},[]," and click “connected applications” you’ll get something like this:",{"data":404,"content":408,"nodeType":273},{"target":405},{"sys":406},{"id":407,"type":270,"linkType":271},"5EyCKXIf9ODUsVakm4bhnn",[],{"data":410,"content":411,"nodeType":257},{},[412],{"data":413,"marks":414,"value":415,"nodeType":248},{},[],"Beyond having to do this one user at a time - this is useful to see the display name for the application and the services which the app has access to. Unfortunately there is no information to show if the app has been verified by Google, and even worse nothing that links it to a specific publisher. At Push we publish quite a few apps ourselves I can tell you that the display name (“Google APIs Explorer” or “Slack” in the above example) is anything the author chooses, and so isn’t reliable at all unless the app has been verified (I’m assuming Google would reject look-alike or spoofed names here), but again you can’t tell here if the app has been verified by google - so on we go!",{"data":417,"content":418,"nodeType":257},{},[419,423,431],{"data":420,"marks":421,"value":422,"nodeType":248},{},[],"The admin console also provides ",{"data":424,"content":426,"nodeType":359},{"uri":425},"https://admin.google.com/ac/reporting/audit/token",[427],{"data":428,"marks":429,"value":430,"nodeType":248},{},[],"security reports on token grants",{"data":432,"marks":433,"value":434,"nodeType":248},{},[]," that look something like this:",{"data":436,"content":440,"nodeType":273},{"target":437},{"sys":438},{"id":439,"type":270,"linkType":271},"6BygfA5C7GNzYZVkfP8du",[],{"data":442,"content":443,"nodeType":257},{},[444,448,456,460,466,470,474],{"data":445,"marks":446,"value":447,"nodeType":248},{},[],"Here we can see the raw scopes (you can find more info about the actual scopes in ",{"data":449,"content":451,"nodeType":359},{"uri":450},"https://developers.google.com/identity/protocols/oauth2/scopes",[452],{"data":453,"marks":454,"value":455,"nodeType":248},{},[],"Google's API docs",{"data":457,"marks":458,"value":459,"nodeType":248},{},[],"), the app name (display name as above) and the all important ",{"data":461,"marks":462,"value":465,"nodeType":248},{},[463],{"type":464},"italic","client_id",{"data":467,"marks":468,"value":469,"nodeType":248},{},[]," that is, as far as I can tell, the closes we get to uniquely identifying an app under the hood. As a side note, it turns out that the first number sequence of the ",{"data":471,"marks":472,"value":465,"nodeType":248},{},[473],{"type":464},{"data":475,"marks":476,"value":477,"nodeType":248},{},[]," is actually the project number of the Google Cloud Project which hosts the app (or technically which hosts the OAuth consent screen for the app). Still no verification status, and no way to figure out who published the app. Further down the rabbit hole we go.",{"data":479,"content":480,"nodeType":257},{},[481,485,490,494,502],{"data":482,"marks":483,"value":484,"nodeType":248},{},[],"Workspace Admin also has an API, and fortunately there is a ",{"data":486,"marks":487,"value":489,"nodeType":248},{},[488],{"type":464},"tokens",{"data":491,"marks":492,"value":493,"nodeType":248},{},[]," resource (see Google docs for ",{"data":495,"content":497,"nodeType":359},{"uri":496},"https://developers.google.com/admin-sdk/directory/reference/rest/v1/tokens/list",[498],{"data":499,"marks":500,"value":501,"nodeType":248},{},[],"Admin Directory API",{"data":503,"marks":504,"value":505,"nodeType":248},{},[],") and there is even an API explorer (which - strange loop warning - also uses OAuth tokens to grant itself access to the API), which give you the following:",{"data":507,"content":511,"nodeType":273},{"target":508},{"sys":509},{"id":510,"type":270,"linkType":271},"1zbptRPMoy5F9eexuoqdBh",[],{"data":513,"content":514,"nodeType":257},{},[515,519,523],{"data":516,"marks":517,"value":518,"nodeType":248},{},[],"Which actually gives you all the tokens for a user you specify. Not much here that is useful beyond what we got from the token report - we still just have display name, scopes, and the ",{"data":520,"marks":521,"value":465,"nodeType":248},{},[522],{"type":464},{"data":524,"marks":525,"value":526,"nodeType":248},{},[]," - however, we can now at least automate the process of pulling all apps for all users without having to figure out which are still active after grants and revokes in the audit report.",{"data":528,"content":529,"nodeType":257},{},[530,534,538,542,550],{"data":531,"marks":532,"value":533,"nodeType":248},{},[],"At this point I was worried whether this would be possible as I couldn’t find any APIs that actually resolved the ",{"data":535,"marks":536,"value":465,"nodeType":248},{},[537],{"type":464},{"data":539,"marks":540,"value":541,"nodeType":248},{},[]," to something more useful, so I started looking at ways to restrict installing apps instead. This led me to the ",{"data":543,"content":545,"nodeType":359},{"uri":544},"https://admin.google.com/ac/owl/list",[546],{"data":547,"marks":548,"value":549,"nodeType":248},{},[],"Security > API controls > App access control",{"data":551,"marks":552,"value":553,"nodeType":248},{},[]," panel in the admin console. This panel shows a list of all the trusted apps (which includes all the installed apps), and crucially if you click on the app you get something like the following:",{"data":555,"content":559,"nodeType":273},{"target":556},{"sys":557},{"id":558,"type":270,"linkType":271},"3zM9a2NGzAdRVjQ0EN4Ult",[],{"data":561,"content":562,"nodeType":257},{},[563],{"data":564,"marks":565,"value":566,"nodeType":248},{},[],"Huzzah! - finally we have verification status, as well as an email address and links to various policies which can be used to identify the actual publisher of the app (my assumption here is that if the app is verified we can trust this information, but that might be something worth digging into a bit deeper, especially for apps that are not requesting sensitive or restricted scopes, both of which have increasingly thorough vetting).",{"data":568,"content":569,"nodeType":257},{},[570],{"data":571,"marks":572,"value":573,"nodeType":248},{},[],"Unfortunately this is not the end of the story. There are still a couple of problems here, firstly we can’t see which users granted which tokens - only how many users have active tokens. We could correlate this with the information in the user’s profile, but then you could have multiple apps using the same name as below:",{"data":575,"content":579,"nodeType":273},{"target":576},{"sys":577},{"id":578,"type":270,"linkType":271},"2fSxeH8UZCC5cZ6vggwck",[],{"data":581,"content":582,"nodeType":257},{},[583,587,591,595,602],{"data":584,"marks":585,"value":586,"nodeType":248},{},[],"This can be solved by referencing the ",{"data":588,"marks":589,"value":465,"nodeType":248},{},[590],{"type":464},{"data":592,"marks":593,"value":594,"nodeType":248},{},[]," with the ",{"data":596,"content":597,"nodeType":359},{"uri":496},[598],{"data":599,"marks":600,"value":601,"nodeType":248},{},[],"admin.directory.tokens.list",{"data":603,"marks":604,"value":605,"nodeType":248},{},[]," API (as discussed above), but that brings us to my final problem - it’s going to be painful cross referencing as the data in the screenshot above is not available in any API I can find, so to automate this I guess we’re going screen scraping 🤦. If you know a better way - please tweet me (again @jacques_sec).",{"data":607,"content":608,"nodeType":249},{},[609],{"data":610,"marks":611,"value":612,"nodeType":248},{},[],"Next up",{"data":614,"content":615,"nodeType":257},{},[616],{"data":617,"marks":618,"value":619,"nodeType":248},{},[],"I’m planning to write future posts on this subject before I forget it all, and these will likely focus on understanding exactly what is possible using specific scopes in a more automated way than paging through endless docs, and more detail on doing in-depth security reviews of OAuth apps. Get in touch if either of these (or something related) would be of interest to you and we might re-prioritise!",{"data":621,"content":622,"nodeType":257},{},[623],{"data":624,"marks":625,"value":626,"nodeType":248},{},[],"\n","document",{"entries":629},{"hyperlink":630,"inline":631,"block":632},[],[],[633,643,651,659,666,674,681],{"sys":634,"__typename":635,"title":636,"caption":637,"layoutMode":638,"file":639},{"id":269},"Image","oauth consent screen example","Example of an OAuth consent screen in Google Workspace","Centre aligned",{"url":640,"width":641,"height":642},"https://images.ctfassets.net/y1cdw1ablpvd/5RrFP6v1oOwfg00Kg9OAVQ/dcad6df4ee4db41629e519e505cd4801/consent-screen.png",300,607,{"sys":644,"__typename":635,"title":645,"caption":646,"layoutMode":638,"file":647},{"id":368},"OAuth app details","Apps with access to your account",{"url":648,"width":649,"height":650},"https://images.ctfassets.net/y1cdw1ablpvd/3wvxHVo7ggg3Q6KLOJ0OBc/b05cd2cd5087b9415ad354409b92c628/Screenshot_2021-07-15_at_12.02.40.png",730,615,{"sys":652,"__typename":635,"title":653,"caption":653,"layoutMode":654,"file":655},{"id":407},"User connected apps in Workspace admin console","Breaks margins",{"url":656,"width":657,"height":658},"https://images.ctfassets.net/y1cdw1ablpvd/3JwxdzuBQFtWZfZhnaJ9O7/dd6b85e70c0f12e37de811cb4d1a44d2/Screenshot_2021-07-15_at_12.12.41.png",930,225,{"sys":660,"__typename":635,"title":661,"caption":662,"layoutMode":654,"file":663},{"id":439},"Workspace token audit report","Sample of a Workspace token audit report",{"url":664,"width":657,"height":665},"https://images.ctfassets.net/y1cdw1ablpvd/1fvEWaCemaKVA4M8CUK9LI/0a6d69f932cf3e496b315e5412b8e6bb/audit-log.png",130,{"sys":667,"__typename":635,"title":668,"caption":669,"layoutMode":62,"file":670},{"id":510},"API Explorer for OAuth tokens resource","Sample output from API Explorer for OAuth tokens resource",{"url":671,"width":672,"height":673},"https://images.ctfassets.net/y1cdw1ablpvd/1dMLvB8qIweqnIt9OXcGcW/c58d40cbce1e8fbd2a1848c97bed92c0/Screenshot_2021-07-15_at_12.29.21.png",380,428,{"sys":675,"__typename":635,"title":676,"caption":677,"layoutMode":62,"file":678},{"id":558},"Workspace admin console trusted apps detail","Example of the details of a trusted app",{"url":679,"width":649,"height":680},"https://images.ctfassets.net/y1cdw1ablpvd/6tmcl2Z7ZZtFrih6VGUftC/f347fe1e70fb1e88d46c19dceb19e5f4/Screenshot_2021-07-15_at_12.38.57.png",360,{"sys":682,"__typename":635,"title":683,"caption":684,"layoutMode":62,"file":685},{"id":578},"Trusted OAuth apps in Workspace admin panel","Trusted OAuth apps with the same display name",{"url":686,"width":649,"height":687},"https://images.ctfassets.net/y1cdw1ablpvd/MODcUpyrv9yjpgm5u75wn/690c8a732c0700d808a1b55063a17e02/Screenshot_2021-07-15_at_12.40.24.png",321,"json",{"items":690},[],[692,693,694,695,696],"#oauth","#oauth2","#cloud-apps","#google","#workspace",{},"Investigating user delegated OAuth tokens in Google","2021-07-15T00:00:00.000+01:00",{"items":701},[702,913],{"__typename":703,"sys":704,"content":706,"title":891,"synopsis":892,"hashTags":62,"publishedDate":893,"slug":894,"tagsCollection":895,"authorsCollection":905},"BlogPosts",{"id":705},"1bV8YTSQHvveCTnRc4H8su",{"json":707},{"nodeType":627,"data":708,"content":709},{},[710,717,724,730,747,753,760,767,797,803,822,841,860],{"nodeType":257,"data":711,"content":712},{},[713],{"nodeType":248,"value":714,"marks":715,"data":716},"With more platforms adding support for Multi-factor Authentication (MFA) and users increasingly adopting it to secure their accounts, attackers are adapting and moving to new methods of compromising user accounts. In this post we’ll take a look at consent phishing and how it is being used to bypass MFA and also skirt key attributes of phishing that are taught in traditional user awareness campaigns, such as links to untrusted domains.",[],{},{"nodeType":257,"data":718,"content":719},{},[720],{"nodeType":248,"value":721,"marks":722,"data":723},"Imagine yourself sitting down at your desk first thing on a Monday morning, cup of coffee steaming next to your keyboard as you click through your backlog of emails. You open the below email and you see that Karl has shared a financial report with you. ",[],{},{"nodeType":273,"data":725,"content":729},{"target":726},{"sys":727},{"id":728,"type":270,"linkType":271},"7zysXleQdpE6isqi9OU56l",[],{"nodeType":257,"data":731,"content":732},{},[733,737,743],{"nodeType":248,"value":734,"marks":735,"data":736},"Maybe you’ve been waiting for the latest financials or you suspect this was sent erroneously but you’re curious and want to take a peek. When you click the link you are presented with a prompt that with your Monday brain looks just like the “Yes give me access” prompt you’ve clicked through a thousand times. I mean, it's a ",[],{},{"nodeType":248,"value":738,"marks":739,"data":742},"microsoftonline.com",[740],{"type":741},"bold",{},{"nodeType":248,"value":744,"marks":745,"data":746}," domain, it's https and there’s a green tick in the corner so everything looks fine. ",[],{},{"nodeType":273,"data":748,"content":752},{"target":749},{"sys":750},{"id":751,"type":270,"linkType":271},"6nPueTKEjLphqlytbQ0gcx",[],{"nodeType":257,"data":754,"content":755},{},[756],{"nodeType":248,"value":757,"marks":758,"data":759},"If you’d looked closely you may have noticed that this was in fact asking you to approve access rather than granting you access. But with your muscle memory in full control you click “Accept” before even glancing at the screen. You wait for the spreadsheet to open but are presented with a generic “File does not exist” error page. Oh well, apparently Karl realised his mistake and deleted the file or revoked your access. Onto the next email.",[],{},{"nodeType":257,"data":761,"content":762},{},[763],{"nodeType":248,"value":764,"marks":765,"data":766},"And just like that you’ve been consent phished. You’ve just granted the attackers permanent access to your account, which they retain even if you change your password or have MFA enabled. Chances are the attacker’s tools will immediately start downloading every piece of data you just granted them access to, which they can then explore at their leisure. ",[],{},{"nodeType":257,"data":768,"content":769},{},[770,774,781,785,793],{"nodeType":248,"value":771,"marks":772,"data":773},"To spot this you need to audit the apps you’ve approved, something you are doing regularly, right? Seriously though, this isn’t something many people check. These integrations are designed to be as seamless as possible and not to get in your way. But if this has piqued your interest you can check what access you have personally granted on ",[],{},{"nodeType":359,"data":775,"content":776},{"uri":353},[777],{"nodeType":248,"value":778,"marks":779,"data":780},"Google Workspace",[],{},{"nodeType":248,"value":782,"marks":783,"data":784}," and ",[],{},{"nodeType":359,"data":786,"content":788},{"uri":787},"https://myapps.microsoft.com/",[789],{"nodeType":248,"value":790,"marks":791,"data":792},"Microsoft 365",[],{},{"nodeType":248,"value":794,"marks":795,"data":796},".",[],{},{"nodeType":273,"data":798,"content":802},{"target":799},{"sys":800},{"id":801,"type":270,"linkType":271},"BPIX02LWblUNnkQw1TFWD",[],{"nodeType":257,"data":804,"content":805},{},[806,810,818],{"nodeType":248,"value":807,"marks":808,"data":809},"If you’d been paying attention when you clicked “Accept” you might have noticed that you were granting some pretty serious permissions here. These permissions allow the attackers to read and write any files you have access to - they could download all these files and then delete them. The attackers also got permission to send emails as you. They could send emails to your colleagues from you and phish them too, this isn’t impersonation where the email just “looks” like it came from you, the email DID come from you. Lastly the attackers asked for permission to manipulate your Outlook settings, with this they could set up a ",[],{},{"nodeType":359,"data":811,"content":813},{"uri":812},"/features/detect-malicious-mail-rules/",[814],{"nodeType":248,"value":815,"marks":816,"data":817},"mail forwarding rule",[],{},{"nodeType":248,"value":819,"marks":820,"data":821}," so that they get copies of all your emails forwarded to them directly without even having to log in. And all of this happens until you delete the underlying OAuth app.",[],{},{"nodeType":257,"data":823,"content":824},{},[825,829,837],{"nodeType":248,"value":826,"marks":827,"data":828},"In a ",[],{},{"nodeType":359,"data":830,"content":832},{"uri":831},"https://www.microsoft.com/security/blog/2020/07/08/protecting-remote-workforce-application-attacks-consent-phishing/",[833],{"nodeType":248,"value":834,"marks":835,"data":836},"blog post",[],{},{"nodeType":248,"value":838,"marks":839,"data":840}," Microsoft warns that these attacks are on the rise. One notable example of this comes from the SANS Institute. They reported in August of 2020 that they had fallen victim to one of these attacks. As part of the investigation they produced a report with details on how the attackers managed to convince an employee to install a malicious Microsoft 365 add-in to gain access. ",[],{},{"nodeType":257,"data":842,"content":843},{},[844,848,856],{"nodeType":248,"value":845,"marks":846,"data":847},"So what can you do about this threat today? The only fool proof method of preventing this kind of attack is to prevent users from granting access to third party apps. This is terrible for users though, and you’ll be missing out on all the productivity benefits these apps can bring. A more balanced approach is to let users find and request apps, but have administrators approve the apps. More and more platforms (including Microsoft 365 and Slack) are offering built-in “admin consent” workflows to make getting a second pair of eyes on new apps even easier. You can also make it even easier for users  by pre-approving widely used apps from trusted publishers and users won’t even notice there is new protection in place 99% of the time. We are also actively working on this problem and if you would like to join our ",[],{},{"nodeType":359,"data":849,"content":851},{"uri":850},"/features/secure-oauth-permissions-and-applications/",[852],{"nodeType":248,"value":853,"marks":854,"data":855},"early access program",[],{},{"nodeType":248,"value":857,"marks":858,"data":859}," please get in touch.",[],{},{"nodeType":257,"data":861,"content":862},{},[863,867,875,879,887],{"nodeType":248,"value":864,"marks":865,"data":866},"Consent phishing is still an emerging technique and we believe that it has not reached peak usage by attackers yet. We are actively researching this attack technique as it continues to evolve. Follow us on Twitter ",[],{},{"nodeType":359,"data":868,"content":870},{"uri":869},"https://twitter.com/PushSecurity",[871],{"nodeType":248,"value":872,"marks":873,"data":874},"@pushsecurity",[],{},{"nodeType":248,"value":876,"marks":877,"data":878},", ",[],{},{"nodeType":359,"data":880,"content":882},{"uri":881},"https://www.linkedin.com/company/push-security",[883],{"nodeType":248,"value":884,"marks":885,"data":886},"LinkedIn",[],{},{"nodeType":248,"value":888,"marks":889,"data":890}," or subscribe to our mailing list below to get the latest updates and tips for managing this for your users.",[],{},"Consent phishing: the emerging phishing technique that can bypass 2FA","Consent phishing is an emerging technique attackers are using to compromise user accounts, even if they have Multi-factor Authentication (MFA or 2FA) enabled.","2021-07-06T00:00:00.000+01:00","consent-phishing-the-emerging-phishing-technique-that-can-bypass-2fa",{"items":896},[897,901],{"sys":898,"name":900},{"id":899},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":902,"name":904},{"id":903},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":906},[907],{"fullName":908,"firstName":909,"jobTitle":910,"profilePicture":911},"Alex Triaca","Alex","Chief Architect",{"url":912},"https://images.ctfassets.net/y1cdw1ablpvd/LmC3LyTH5V9NthbqKuqA2/8291887e41c15613bf98f6fd55773817/117-0-2.jpg",{"__typename":703,"sys":914,"content":916,"title":1019,"synopsis":1020,"hashTags":1021,"publishedDate":1027,"slug":1028,"tagsCollection":1029,"authorsCollection":1037},{"id":915},"pj2eLZXa4PyrY1DD4NCHt",{"json":917},{"data":918,"content":919,"nodeType":627},{},[920,927,931,938,945,951,958,965,972,979,986,992,999,1005,1012],{"data":921,"content":922,"nodeType":257},{},[923],{"data":924,"marks":925,"value":926,"nodeType":248},{},[],"The following is a personal account from the owner of an engineering consulting and projects company of how a Business Email Compromise (BEC) attack played out against his company, almost costing them millions.",{"data":928,"content":929,"nodeType":930},{},[],"hr",{"data":932,"content":933,"nodeType":257},{},[934],{"data":935,"marks":936,"value":937,"nodeType":248},{},[],"It started with a phone call from one of our customers. They wanted to make a payment to us and asked to confirm that our banking details had changed. They had not. Our customer explained they had received another email from us after our original invoice, stating that our banking details had changed.",{"data":939,"content":940,"nodeType":257},{},[941],{"data":942,"marks":943,"value":944,"nodeType":248},{},[],"So many questions ran through my mind. I assured them our details had not changed and asked them to send me the email that they had received.",{"data":946,"content":950,"nodeType":273},{"target":947},{"sys":948},{"id":949,"type":270,"linkType":271},"7oS3I99lcdKeHo0a4SM7f2",[],{"data":952,"content":953,"nodeType":257},{},[954],{"data":955,"marks":956,"value":957,"nodeType":248},{},[],"There it was. It even had our company logo and signature at the bottom.",{"data":959,"content":960,"nodeType":257},{},[961],{"data":962,"marks":963,"value":964,"nodeType":248},{},[],"We didn't know how the attacker got access to that email account and we assumed they were logging in and reading emails. So we changed the password on the affected email account and moved on.",{"data":966,"content":967,"nodeType":257},{},[968],{"data":969,"marks":970,"value":971,"nodeType":248},{},[],"A day later, the attacker followed up again with the customer and we got another phone call. After having a really difficult conversation, we had to dig deeper and find out what was going on. So we contacted our IT provider and launched an investigation.",{"data":973,"content":974,"nodeType":257},{},[975],{"data":976,"marks":977,"value":978,"nodeType":248},{},[],"We found that the email we sent containing the invoice was also forwarded to an external Gmail address. The attacker had also registered a visually similar domain name and cloned the look and feel of our emails to reply to our customers and trick them into believing it was from us. This 1-letter difference in the domain is highlighted in the image above.",{"data":980,"content":981,"nodeType":257},{},[982],{"data":983,"marks":984,"value":985,"nodeType":248},{},[],"The primary culprit behind the forwarding of the message was then discovered. A mail rule had been created that forwarded emails with the word \"payment\" (among others) in the subject.",{"data":987,"content":991,"nodeType":273},{"target":988},{"sys":989},{"id":990,"type":270,"linkType":271},"2aafjsTsqy7ljL5hh8c3MO",[],{"data":993,"content":994,"nodeType":257},{},[995],{"data":996,"marks":997,"value":998,"nodeType":248},{},[],"Some senior employees had received phishing emails a few days prior to this incident taking place. The email took them to a fake Microsoft login page and unfortunately one of them entered their password.",{"data":1000,"content":1004,"nodeType":273},{"target":1001},{"sys":1002},{"id":1003,"type":270,"linkType":271},"3LqNjM8OlZLI6XQVtLaOe1",[],{"data":1006,"content":1007,"nodeType":257},{},[1008],{"data":1009,"marks":1010,"value":1011,"nodeType":248},{},[],"This stolen password was used to log in and set up the forwarding rule. This closed the loop and we understood what happened fully.",{"data":1013,"content":1014,"nodeType":257},{},[1015],{"data":1016,"marks":1017,"value":1018,"nodeType":248},{},[],"We learned a lot from the incident (and aged a few years!) and the main recommendations from our IT provider were to delete the mail rule, change the password again and enable MFA on all our email accounts. Had this customer paid this invoice without questioning the change of details, we would have lost millions.","Case study: Business Email Compromise (BEC) attack nearly cost us millions","A story by the owner of an Engineering company on how they almost lost millions from a Business Email Compromise (BEC) style attack. An interesting BEC example.",[1022,1023,1024,1025,1026],"businessemailcompromise","bec","mailrules","office365","warstory","2021-06-14T00:00:00.000+01:00","case-study-business-email-compromise-bec-attack-nearly-cost-us-millions",{"items":1030},[1031,1033],{"sys":1032,"name":900},{"id":899},{"sys":1034,"name":1036},{"id":1035},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"items":1038},[1039],{"fullName":1040,"firstName":1041,"jobTitle":1042,"profilePicture":1043},"Tyrone Erasmus","Tyrone","Co-founder / CTO",{"url":1044},"https://images.ctfassets.net/y1cdw1ablpvd/5rkMblymL7lG4pZBiYzWo6/26f0da21be8fc252b13b62aacc22d19d/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-22.jpg","investigating-user-delegated-oauth-tokens-in-google-workspace-a-ride-along","blog/investigating-user-delegated-oauth-tokens-in-google-workspace-a-ride-along",{"json":1048},{"data":1049,"content":1050,"nodeType":627},{},[1051],{"data":1052,"content":1053,"nodeType":257},{},[1054],{"data":1055,"marks":1056,"value":1057,"nodeType":248},{},[],"A brief discussion about OAuth tokens, how they are used, reasons you might want to review them, and then an exploration of how you might start actually doing this in Google Workspace, which (TL;DR) turns out to not be neither trivial or easy to automate.","Introduction to OAuth tokens in Google Workspace, how they are used, reasons you might want to review them, and a discussion of how you might go about it. ",{"id":1060,"publishedAt":1061},"4j5GhBaGwP92nz5p6gmQyi","2024-03-21T09:27:28.613Z",{"items":1063},[1064,1066],{"sys":1065,"name":904},{"id":903},{"sys":1067,"name":1069},{"id":1068},"3pjES4THCIfSAwhGdNwBcy","Browser security","cK7SdRzzsfEP_MMlqof4W2oUFMtPZkq-zKaMu3JOh_Q",1784196725220]