{ "id": "8dfa9667-91bb-4247-9bdc-cf106b65e9dd", "created_at": "2026-04-06T00:19:38.48098Z", "updated_at": "2026-04-10T03:23:51.432675Z", "deleted_at": null, "sha1_hash": "63a8e84975c86748f7c4ad561da50d183dbd33fa", "title": "saas-attacks/techniques/evil_twin_integrations/description.md at main · pushsecurity/saas-attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 66680, "plain_text": "saas-attacks/techniques/evil_twin_integrations/description.md at\r\nmain · pushsecurity/saas-attacks\r\nBy jukelennings\r\nArchived: 2026-04-05 16:06:48 UTC\r\nLatest commit\r\nEvil twin integrations\r\nID: SAT1016\r\nTactics\r\nPersistence\r\nDefense Evasion\r\nSummary\r\nOAuth apps provide a mechanism for maintaining long-term persistent access to compromised accounts that resist\r\nnormal recovery actions, such as password resets. However, an in-depth investigation may lead to the discovery of\r\nOAuth integrations created by the adversary. Once these malicious integrations are deleted, the adversary would\r\nlose their persistence mechanism as soon as the access token expires (within hours or minutes).\r\nInstead, the attacker could enumerate existing OAuth integrations the user has already granted/installed, find one\r\nthat exposes useful scopes and functionality, and create a second instance or twin of that integration. These twin\r\nintegrations look identical to the original integration as SaaS apps don’t display the details of the account on the\r\nother side of the integration, and are therefore unlikely to be discovered and deleted.\r\nThis attack relies on the victim having already installed or created an OAuth integration that would be useful to\r\nthe attacker. Existing integrations with workflow automation / no-code automation platforms are typically the\r\nmost useful, but other apps that access (and expose) sensitive data like email are common in marketing, sales and\r\ncustomer support tools.\r\nA demo video of an attack chain combining shadow workflows with an evil twin integration is given below:\r\nhttps://github.com/pushsecurity/saas-attacks/blob/main/techniques/evil_twin_integrations/description.md\r\nPage 1 of 2\n\nExamples\r\nHubspot\r\nReferences\r\nMaintaining persistant access in a SaaS-first world - Technical blog post\r\nThe shadow workflow's evil twin - Technical blog post\r\nSource: https://github.com/pushsecurity/saas-attacks/blob/main/techniques/evil_twin_integrations/description.md\r\nhttps://github.com/pushsecurity/saas-attacks/blob/main/techniques/evil_twin_integrations/description.md\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://github.com/pushsecurity/saas-attacks/blob/main/techniques/evil_twin_integrations/description.md" ], "report_names": [ "description.md" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434778, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63a8e84975c86748f7c4ad561da50d183dbd33fa.pdf", "text": "https://archive.orkl.eu/63a8e84975c86748f7c4ad561da50d183dbd33fa.txt", "img": "https://archive.orkl.eu/63a8e84975c86748f7c4ad561da50d183dbd33fa.jpg" } }