Authorization Sprawl: The Hidden Vulnerability Reshaping Modern Cyberattacks

Imagine you’re a Chief Information Security Officer (CISO), in charge of the security operations for a large organization. Your team has just finished a $2 million rollout upgrading endpoint detection capabilities. You have fought and won the uphill battle for MFA deployment throughout the company. You’re well on your way to transitioning out legacy platforms to achieve a Zero Trust architecture, combining on-premises and SaaS application solutions using a single identity provider.

Then, you get a call from your CEO. A journalist asked for comment on reports that critical customer data has been made available for sale on BreachForums.

This isn’t from a zero-day exploit or a nation-state attack. It’s part of a growing attack trend that leverages the very access you’ve granted your employees, contractors, and partners.

While we fortified endpoints, attackers moved to identity systems. While organizations have invested millions in endpoint detection, network monitoring, and multi-factor authentication, threat actors like Scattered Spider, LAPSUS$, and ShinyHunters bypass these defenses by exploiting the very access we’ve granted authorized users.

The widely-publicized attacks against Marks & Spencer, United National Foods, Aflac, The North Face, Cartier, and dozens of other high-profile organizations share a common thread: the attackers exploited authorization sprawl, a growing vulnerability class that turns interconnected identity systems into opportunity for attackers.

Understanding Authorization Sprawl

Authorization sprawl happens when we make sensible access decisions without considering larger implications. Marketing needs Salesforce. Engineering wants GitHub. Finance requires NetSuite. Operations needs Jira and Confluence. IT deploys SSO to make it all manageable. Each decision makes perfect sense in isolation.

Today, a user logs in to Okta once in the morning, and they have access to 47 different systems. Their browser holds tokens for Microsoft 365, Google Workspace, AWS, and dozens of SaaS applications. A developer’s GitHub personal access token can trigger workflows that deploy code to production through OpenID Connect integration. Microsoft Entra Connect synchronizes cloud identities back to on-premises Active Directory. Microsoft Endpoint Configuration Manager uses logged-in access to authorized changes to systems throughout the organization.

Attackers used to leverage an attack chain where they would use initial access to deploy malware, escalate privileges, move laterally to other on-premises targets, deploy persistence, and exfiltrate data. With authorization sprawl, the attacker uses any initial access to steal OAuth tokens, or AWS access keys, or GitHub personal access tokens, or browser single sign-on access, or any other post-authentication access mechanism to siphon data from on-premises and cloud systems. The attacker uses authorized access for illegitimate purposes, bypassing traditional detection methods.

Why Traditional Security Controls Can’t Stop This

For years we have invested in security stacks designed to detect and respond to traditional attack patterns. We have EDR solutions that catch malware, network monitoring that flags unusual traffic, and SIEMs that correlate events across systems. We leverage strong authentication to validate identity and mitigate password-based attacks.

Authorization sprawl attacks bypass these detection mechanisms entirely. When attackers open Chrome and access ServiceNow with the victim’s SSO access, EDR sees only chrome.exe connecting to service-now.com over TLS – normal activity occurring thousands of times daily. Attackers can access browser history, cookies, and saved tokens without triggering alerts.

Strong authentication protects only the initial login process, not the session tokens that follow. Once authenticated, users receive session cookies, OAuth tokens, or JWTs that grant access to resources without re-authentication. Attackers who gain access to these tokens can exploit authorized sessions without needing to bypass MFA or other strong authentication controls.

Mitigating Authorization Sprawl

Organizations that continue to focus solely on authentication strength while ignoring authorization complexity will remain vulnerable. As threat actors increasingly recognize that “cloud breaches aren’t hacks—they’re logins,” you need new defensive approaches:

Map Your Cross-Cloud Privilege Paths: You can’t defend the access opportunities you can’t see. Use attack path mapping tools like BloodHound with OpenGraph extensions to visualize how permissions connect across your entire environment: on-premises, cloud, and SaaS.

Force Better SaaS Logging: Most SaaS platforms provide terrible logging – either nonexistent, incomplete, or locked behind premium pricing. This isn’t acceptable when we lack the visibility to identify these active attacks. Make comprehensive logging a mandatory requirement in every RFP and contract negotiation. Integrate SaaS logging with your threat hunting activities to identify incidents.

Get Browser Visibility: Modern browsers are where authorization sprawl attacks happen. Deploy specialized browser security tools that detect anomalous patterns even on legitimate sites. When a user who normally accesses five Salesforce records suddenly downloads thousands, you need to know. When browser automation tools interact with sensitive applications in ways humans never would, that’s an indicator of compromise.

Preparing for Authorization Sprawl: A Call to Action

The attackers have already adapted. They’re exploiting the interconnected networks of SSO integrations, OAuth tokens, and cross-platform permissions we have built for efficiency. We need to adapt our defense strategies to recognize and identify these attack patterns with attack path analysis, better SaaS logging and threat hunting, and with browser visibility that can identify these attacks in progress. The question isn’t whether authorization sprawl will hit your organization – it’s whether you’ll be ready.

For a deeper dive on authorization sprawl, read my SANS RSAC whitepaper here.