Researchers: Shadow AI and OAuth token sprawl amplify breach risk after OAuth-linked incidents

A third-party login token is starting to look like the new master key. That is the real story behind the recent Vercel incident and the security writeups that followed it. One employee connected an external AI tool, that tool got compromised, and the attacker used the OAuth trust relationship to move sideways into a much bigger company environment. Vercel says it disclosed the incident on April 19 and later expanded its review after finding additional affected accounts. (vercel.com) So what is “OAuth token sprawl,” in plain English? It is the pileup of app-to-app permissions that builds over time when employees click “Sign in with Google” or “Connect Microsoft 365” and nobody really tracks what got approved. Each grant feels tiny. But the grant often includes mailbox access, file access, profile data, calendars, or long-lived refresh tokens. That means the attacker does not need to crack the front door if a trusted side door is already open. The Vercel case is getting attention because the side door appears to have been an AI SaaS integration, not a classic software supply-chain package. (pushsecurity.com) That is where “shadow AI” becomes more than a data-leak buzzword. Most people hear the phrase and think about employees pasting documents into chatbots. The bigger risk is that AI tools increasingly ask for deep integrations into Google Workspace, Microsoft 365, Slack, GitHub, Notion, and internal knowledge systems. Once approved, those tools are no longer just places where data is pasted. They become active identity-bearing nodes inside the company. Push Security’s breakdown of the Vercel chain makes exactly that point — a forgotten or lightly governed AI app can become an invisible extension of the corporate perimeter. (pushsecurity.com) Why does this matter right now? Because the attacker toolkit is getting more industrialized. Europol’s 2026 IOCTA framing is basically that cybercrime is scaling through better enablers — AI, proxies, encryption, and service-style infrastructure that lowers the skill needed to run serious attacks. Even without the full report text in the preview page, the direction is clear from Europol’s release notes and the wider coverage around the April 28-29 publication window. (europol.europa.eu) The phishing side is evolving in the same direction. Bluekit, a newly surfaced phishing-as-a-service kit, bundles more than 40 brand templates and uses adversary-in-the-middle techniques to steal session cookies and local storage data. That matters because MFA can still be “passed” by the real user while the attacker steals the authenticated session. In other words, the criminal does not always need your password plus your code — sometimes they just need the token created after you log in. (hackread.com) Microsoft described a related escalation earlier this month in an AI-enabled device-code phishing campaign. The notable shift was automation: dynamic code generation, large numbers of short-lived backend nodes, AI-personalized lures, and post-compromise token abuse for persistence and email theft. That is the same broad pattern showing up everywhere — steal identity artifacts, not just credentials. (microsoft.com) The practical lesson is boring but sharp. Companies need to treat every new AI integration like a new privileged vendor. Block self-approved OAuth apps where possible. Audit existing grants. Kill stale refresh tokens. Limit scopes. Separate personal and corporate identities. And stop assuming MFA alone closes the loop. In this wave of attacks, the real prize is often the session token already sitting behind MFA. (pushsecurity.com)