The Descope security team uncovered a vulnerability in Microsoft Azure AD OAuth applications, termed "nOAuth," which allows for potential full account takeovers due to improper use of the mutable and unverified "email" claim as a user identifier. The flaw arises because attackers can manipulate the email attribute to control identity tokens, thus exploiting apps that rely on the email claim for authentication. Microsoft has since updated its documentation and introduced new claims to mitigate this issue, advising against the use of mutable claims for identification. Descope collaborated with Microsoft to address this vulnerability and informed several affected organizations, including high-profile applications and authentication providers, to implement necessary fixes. This discovery underscores the complexity of OAuth implementations and the need for rigorous security reviews, while also highlighting Descope's efforts to enhance awareness and improve authentication security.