Material’s June included new detections, workflow improvements, updates to the OAuth Threat Remediation Agent, and the industry’s first real-world OAuth Risk Report.
The big news this month has been the rollout of Material’s OAuth Remediation Agent, along with a data report on findings from our early beta participants. But that’s not all the team has been building. We’re continuing to sharpen and refine our detection engine with surgical updates that make Material faster, safer, and easier to run even as the coverage area provided by the platform expands.
OAuth Remediation Agent is generally available
Material’s OAuth Remediation Agent is now in the hands of customers. It gives security teams real-time visibility into every OAuth app connected to their Google Workspace environment, with the ability to automatically classify risk and revoke access for malicious or unwanted connections, with no manual investigation required.
This new capability expands Material’s security surface area coverage to encompass not just what’s stored within the cloud workspace, but what’s connected to it. With the explosive growth of AI apps, companies must know what AI is being used and what it’s able to access.
If you haven't already, you can learn more about the OAuth Remediation Agent here.
OAuth Risk Report
Our inaugural OAuth Risk Report highlights a growing governance gap: 91% of AI applications in production appeared only in the last 16 months, often authorized by individuals without IT oversight. This sprawl is compounded by dormant access, with nearly half of all apps showing no activity for 90 days, and offboarding gaps where sensitive grants persist even after an employee leaves. The report also reveals that one in four apps holds restricted scopes, including deceptive tools designed to impersonate legitimate services. Check out the full report here.
To address these risks, June’s updates to the OAuth Remediation Agent focus on granular control and visibility. Admins can now perform per-user token revocation and view account-specific scopes to see exactly what each user authorized. We’ve also streamlined the workflow so that accepting a classification automatically resolves the underlying issue, and added filtered CSV exports to simplify audits of client IDs, classifications, and response statuses.
Smarter, more resilient threat detection
Material’s power lies not just in the breadth of security coverage across the cloud workspace, but in the accuracy and actionability of the threats it surfaces. That’s why behind the scenes, Material's detection engine got several meaningful upgrades this month.
Email remains a key entry point for attackers, with new exploits threatening unwary employees. That’s why we added a new detection for a recently reported abuse of Microsoft infrastructure used to send spam and phishing links. Material also catches phishing delivered through the Demio webinar platform, a vector security teams have seen used in active campaigns. Both detections are actively protecting our customers, with no extra configuration needed. This is just part of an ongoing series of tuning improvements across impersonation, infrastructure abuse, account takeover, and bulk-mail detection.
We’re also making it easier for analysts to investigate issues. This happens thanks to a combination of the right positive signals along with better visibility within the platform. An example of an insightful new detection is one that now fires when a user clicks a defanged phishing link but is stopped before reaching the actual malicious destination. This gives security teams a low-noise way to measure how often protections are actually working, separate from cases where a user bypasses a warning.
On the search and investigation side, several aspects of the platform received updates. A new search field lets teams query specifically for messages caught by Email Bomb Protection, making it easier to scope the full extent of a mail-bomb attack. We also improved load time and scannability on Issues pages, so key content like sender reputation loads almost instantly and repetitive actions are summarized (e.g. “removed 7 messages” vs. listing every individual event).
Another aspect of Material’s detection engine is its deep ability to understand context. This is especially vital when it comes to cleaning up attacks on the calendar, a resource employees need to rely on to organize their workdays. When Material automatically removes a malicious calendar event during phishing cleanup, it checks the event's authoritative organizer first. Events created by the mailbox owner, their aliases, or trusted internal users are skipped. The fix is resilient to spoofed invite details, so automated remediation no longer risks deleting a real meeting by mistake.
Security Effectiveness Is in the Details
A solid detection engine is more than the sum of its parts, it can be measured in the way it ties together those individual signals. Material is continuing to build effective capabilities, detections, and automated remediations that build on each other, driving more effective security with less toil.

