All news with #oauth app abuse tag

🔎 Shadow AI now describes employees building full applications with AI and publishing them without IT or security involvement. Red Access' Shadow Builders report found over 380,000 public assets on vibe‑coding platforms, with more than 2,000 exposing sensitive corporate or personal data. Existing security controls miss these builds because the entire lifecycle — OAuth grants, data movement, and publishing — occurs inside web sessions that traditional tools only partially observe.

🔒 The FBI has alerted organisations to Kali365, a phishing-as-a-service platform that can hijack Microsoft 365 accounts without stealing passwords and can bypass multi-factor authentication. Launched in April 2026 and sold via Telegram, Kali365 offers AI-generated lures, automated templates, dashboards, and OAuth token capture for as little as $250 monthly. The kit exploits Microsoft’s device code flow, tricking victims into authorising attacker devices on legitimate Microsoft pages, granting access to Outlook, Teams, and OneDrive. The FBI recommends blocking device code flow with a conditional access policy in Microsoft Entra ID and deploying phishing-resistant MFA such as hardware security keys.

🔒 The FBI warns about the Kali365 phishing-as-a-service platform that abuses OAuth device code authentication to hijack Microsoft 365 and Microsoft Entra accounts. Distributed via Telegram since April 2026, Kali365 enables low-skilled attackers to bypass MFA by tricking victims into authorizing device codes, then capturing OAuth tokens to access mailboxes and cloud apps. Researchers observed campaigns using phishing emails, AI-generated lures, and real-time dashboards, while the FBI advises blocking device code flows and preserving forensic evidence.

🛡️ The FBI has identified a new phishing-as-a-service platform called Kali365, first seen in April 2026, that is being distributed primarily via Telegram. The service furnishes AI-generated lures, automated templates and real-time tracking dashboards to enable attackers — including low-skill actors — to capture OAuth tokens and bypass MFA for Microsoft 365 accounts. Victims are tricked into pasting device codes into the legitimate Microsoft verification page, unintentionally authorizing attacker devices and granting persistent access to services such as Outlook, Teams and OneDrive. The FBI recommends restricting or blocking device code flow, implementing conditional access policies, blocking authentication transfer and protecting emergency access accounts.

🔒 The FBI warns of phishing campaigns using Kali365 to harvest Microsoft 365 OAuth access tokens and bypass multi-factor authentication. Attackers trick users into entering a code on a legitimate Microsoft page, which instead authorizes the attacker’s device to access the victim’s account. The FBI advises IT teams to deploy conditional access policies and block authentication transfer to reduce exposure.

🔍 While many organizations intentionally deploy AI to improve productivity, unsanctioned AI is proliferating faster — employees install tools or vendors embed assistants into existing apps. The article defines four AI categories and maps specific detection techniques to each, covering DNS, web gateways/NGFW, EPP/EDR, application and browser controls, and SSPM/identity governance. It flags OAuth consent as a high-risk channel and summarizes admin steps for Microsoft Entra, Google Admin, Salesforce, and ServiceNow to block or restrict app access.

🔐 In February 2026 the EvilTokens PhaaS campaign abused the OAuth consent flow to harvest long‑lived refresh tokens, compromising over 340 Microsoft 365 organizations across five countries. Victims completed legitimate sign‑ins and MFA at microsoft.com/devicelogin, then clicked consent and unknowingly granted broad scopes for mail, drive, calendar, and contacts. Because the attacker received signed, refreshable tokens rather than credentials, MFA and typical SIEM correlation did not detect the intrusion. The incident demonstrates how normalized consent clicks have become a critical security gap.

🔍 Across organizations, employees run three to five AI tools daily—many unapproved and often connected to corporate data via OAuth, browser extensions, or newly added vendor features—creating a widening "shadow AI" gap that evades traditional network controls. The article outlines five practical steps security teams can apply: build an inventory, write usable policies, create a fast approval lane, implement browser-native monitoring, and deliver just-in-time coaching. Together these measures aim to preserve productivity while restoring visibility, reducing data exposure, and aligning employee workflows with security requirements.

🔐 The Tycoon2FA phishing kit now exploits OAuth device-code flows and misuses Trustifi click-tracking URLs to hijack Microsoft 365 accounts. eSentire found the kit rebuilt after a March takedown, adding obfuscation layers, a 230-vendor blocklist, and extensive anti-analysis checks to evade detection. Attackers trick victims into pasting device codes at microsoft.com/devicelogin, granting OAuth tokens and full access to email, calendar and cloud storage.

🔐 ConsentFix v3 is an automated evolution of prior OAuth consent phishing techniques that targets Microsoft Azure environments by abusing pre-trusted first-party apps and the OAuth2 authorization code flow. Attackers conduct reconnaissance to harvest employee names, roles, and emails, host convincing phishing pages on Cloudflare Pages and DocSend, and use Pipedream webhooks to collect and immediately exchange authorization codes for refresh tokens. Phishing is often highly personalized and delivered via PDFs to evade filters. Captured tokens are imported into post-exploitation tools to access mail, files, and other resources permitted by the token.

🔒 Vercel has confirmed a cyber incident in which a "highly sophisticated" attacker exploited the third-party tool Context.ai after an employee authorized the app. The adversary used that access to take over the employee's Vercel Google Workspace account and accessed several environments and environment variables not marked as sensitive; sensitive variables are stored unreadable and show no evidence of access. Vercel says npm packages and major projects like Next.js were not compromised, has engaged Mandiant to investigate, and is notifying affected customers while advising MFA, rotation of exposed variables, and strengthened deployment protections.

🔒 This weekly recap highlights a recurring attack pattern: compromise of trusted third-party tools and update paths to gain internal access and persist. Incidents include a Vercel breach originating from a compromised Context.ai account that led to takeover of a Google Workspace identity, hijacked download pages serving trojanized installers, malicious Chrome extensions, and plugin abuse. The report emphasizes multi-stage, in-memory payloads and attackers leveraging legitimate workflows to evade detection. Organizations should reassess trust boundaries, monitor OAuth tokens and environment variables, and prioritize patching of actively exploited CVEs.

🔒 Vercel disclosed a data breach after a compromised third-party AI application, Context.ai, abused Google Workspace OAuth to access an employee account and read environment variables that were not marked as 'sensitive'. Vercel says variables designated as 'sensitive' are stored unreadable and there is no evidence those values were accessed. A limited subset of customers had credentials exposed and have been contacted to rotate secrets. Vercel is working with Mandiant, other cybersecurity firms and law enforcement while urging customers to review logs, enable sensitive-variable protections and rotate tokens.

🔒 Microsoft Incident Response researchers detail a Storm-2755 campaign that used malvertising and SEO poisoning to phish Canadian users and capture OAuth tokens and credentials via adversary-in-the-middle (AiTM) proxying. The actor replayed tokens (notably using the Axios/1.7.9 user-agent) to hijack authenticated sessions and bypass non-phishing-resistant MFA. Compromised accounts were used to search for payroll and HR data, create hidden inbox rules, and in some cases directly modify Workday payment information, resulting in at least one confirmed payroll diversion. Microsoft urges immediate token revocation, removal of malicious inbox rules, and adoption of phishing-resistant MFA and device-based conditional access.

🔒 Microsoft Defender Security Research describes an AI-enabled campaign that abused the OAuth Device Code flow to compromise organizational accounts at scale. Actors used generative AI to craft hyper-personalized lures and automated backend infrastructure (including Railway.com and other PaaS) to generate dynamic device codes at click time, defeating the standard 15-minute expiry. The activity is linked to the PhaaS toolkit EvilToken and shows a marked escalation in automation and scale versus earlier device code phishing campaigns. Post-compromise actions focused on device registration, Microsoft Graph reconnaissance, malicious inbox rules, and email exfiltration.

🔐 Device-code phishing attacks that exploit the OAuth 2.0 Device Authorization Grant flow have surged sharply this year, driven by commodity phishing kits. Researchers report a 37.5x increase in detected pages and identify at least 11 kits, with the PhaaS offering EvilTokens the most prominent. These kits mimic legitimate SaaS flows, use anti-bot protections and cloud hosting, and trick victims into entering device codes that grant attackers valid access and refresh tokens. Security teams are advised to disable unused device-code flows and monitor authentication logs and sessions closely.

🔐 Huntress is tracking an active device code phishing campaign targeting Microsoft 365 identities at over 340 organizations across the US, Canada, Australia, New Zealand, and Germany. The attackers use Cloudflare Workers redirects and Railway.com-hosted infrastructure to harvest OAuth access and refresh tokens that remain valid after password resets. Sectors hit include construction, non-profits, real estate, manufacturing, finance, healthcare, legal and government.

🔒 Multiple vendors and researchers this week disclosed a broad set of active threats spanning cloud environments, endpoints, and messaging platforms. OAuth consent abuse campaigns impersonated trusted apps to harvest tokens and access mail and files without passwords, while the BlackSanta campaign used resume-themed ISOs to chain DLL side‑loading and disable AV/EDR via vulnerable drivers. Other notable items include microcontroller debug bypasses, ZIP header evasion that defeats some AV/EDR tools, an AI-agent compromise of an internal platform, and targeted phishing against Signal and WhatsApp users.

🔐 Microsoft warns that attackers are abusing legitimate OAuth error redirection to bypass email and browser phishing protections and deliver malware. Campaigns target government and public-sector organizations with lures such as e-signature requests, meeting invites, and financial notices that contain OAuth redirect URLs. Attackers register malicious OAuth apps and invoke silent-auth parameters or invalid scopes to trigger error redirects to attacker-controlled pages. Those pages can host credential-phishing frameworks or automatically deliver ZIP packages that launch PowerShell loaders and DLL side‑loading routines, enabling final payload execution.

🔗 Microsoft warns attackers are abusing a legitimate OAuth redirect behavior to send victims from trusted identity-provider endpoints—like Microsoft Entra ID and Google Workspace—to attacker-controlled landing pages. Phishing lures such as e-signature requests, HR notices, Teams invites and password resets embed links that point to real authorization endpoints but use broken parameters (for example, prompt=none plus invalid scopes) so the provider silently redirects to a malicious URI. Microsoft has disabled multiple malicious OAuth apps, published client IDs and initial redirect IOCs, and supplied KQL hunting queries for Defender XDR customers. Analysts say the old advice to “hover and check the link” is no longer sufficient and urge validating context and tightening OAuth governance.