All news with #oauth app abuse tag

⚠️ Koi Security found that an abandoned Outlook add-in, AgreeTo, was hijacked to run phishing kits that captured roughly 4,000 Microsoft account credentials. The attacker claimed an orphaned Vercel subdomain referenced in the add-in’s XML manifest and replaced live content with a fake sign-in page while retaining mailbox permissions. Microsoft had validated and signed the original manifest but does not re-review hosted content fetched at runtime. Users should remove AgreeTo and reset affected passwords immediately.

🔒Push Security discovered ConsentFix in December — a browser-native OAuth phishing technique that tricks victims into pasting a legitimate Microsoft authorization URL so attackers can exchange the code and hijack accounts. The campaign targeted pre-consented first-party Microsoft apps and legacy scopes to evade default logging and Conditional Access controls. Push and the security community have published hunting guidance and mitigations focused on logging, access restrictions, and browser-based detection.

🔒 Researchers found eight malicious npm packages impersonating n8n community nodes that were designed to steal developers' OAuth credentials. The packages mimicked legitimate integrations (for example, Google Ads), saved encrypted OAuth tokens to n8n's credential store, then used the instance master key at runtime to decrypt and exfiltrate tokens to attacker-controlled servers. Analysts urge disabling community nodes and auditing packages before installation.

🔒 Cybercriminals and state-sponsored actors are increasingly abusing OAuth device authorization to hijack enterprise Microsoft 365 accounts, often bypassing multifactor protections. Proofpoint reports campaigns have surged since September 2025 and shifted from targeted voice-phishing to scalable email-based social engineering. Attackers prompt victims to enter short-lived device codes on Microsoft’s verification page, validating tokens and granting access. Tools such as SquarePhish2 and Graphish automate the flow and lower the skill barrier for large-scale attacks.

🔐 Proofpoint has observed a sharp increase in phishing campaigns that abuse Microsoft's OAuth device code authorization flow to gain access to Microsoft 365 accounts. Attackers use social engineering — QR codes, embedded buttons and hyperlinks — to trick users into entering device codes on Microsoft's legitimate verification page, which yields valid access tokens. Readily available tools such as SquarePhish2 and Graphish have lowered the bar for both state-aligned and financially motivated actors.

🔒 The ShadyPanda campaign hijacked thousands of legitimate Chrome and Edge extensions, converting them into spyware and RCE-enabled backdoors via silent updates. About 4.3 million users installed compromised add‑ons that could steal session cookies and impersonate SaaS accounts. Organizations should enforce extension allow lists, audit permissions, and treat extensions like OAuth apps. Platforms such as Reco can help bridge browser, endpoint, and SaaS visibility.

🔒 Researchers at Push Security describe ConsentFix, a browser-only evolution of the ClickFix phishing technique that captures OAuth tokens for Microsoft logins. The attack leverages legitimate but compromised sites and a fake Cloudflare-style CAPTCHA to trick victims into copying and pasting a URL containing an OAuth token, which yields account access via Azure CLI without a password or MFA. Push Security warns the method avoids many endpoint and authentication defenses and is difficult to detect; mitigation requires tightened consent governance, enhanced monitoring, and browser-based protections.

⚠️ Straiker STAR Labs researchers disclosed a zero-click agentic browser attack that can erase a user's entire Google Drive by abusing OAuth-connected assistants in AI browsers such as Perplexity Comet. A crafted, polite email containing sequential natural-language instructions causes the agent to treat housekeeping requests as actionable commands and delete files without further confirmation. The technique requires no jailbreak or visible prompt injection, and deletions can cascade across shared folders and team drives.

🔐 Salesforce disclosed unauthorized access tied to Gainsight-published apps using OAuth integrations, saying it revoked all active access and refresh tokens and temporarily removed those apps from the AppExchange while investigators continue their work. Gainsight confirmed the incident, has engaged Mandiant for forensics, and revoked related connector access across other marketplaces. Google Threat Intelligence linked the activity to actors associated with ShinyHunters, echoing prior token-abuse campaigns against Salesloft and Drift. The incident highlights supply-chain risks in SaaS OAuth integrations and reinforces urgent recommendations to audit and revoke suspicious tokens.

🔒 Salesforce reported detected 'unusual activity' involving Gainsight-published applications that used OAuth connections to its platform and said the activity may have enabled unauthorized access to some customers' Salesforce data. The company revoked all active access and refresh tokens for affected apps and temporarily removed those listings from the AppExchange while it investigates. Gainsight also pulled its app from the HubSpot Marketplace as a precaution. Security analysts have linked the activity to the ShinyHunters (UNC6240) group and are urging customers to review and revoke suspicious third-party integrations.

🔐 Datadog Security Labs has described a new phishing technique called CoPhish that abuses Copilot Studio agents to present fraudulent OAuth consent requests on legitimate Microsoft-hosted demo pages. Attackers can configure an agent’s Login topic to deliver a malicious sign-in button that redirects to a hostile application and exfiltrates session tokens. Microsoft confirmed it will address the underlying causes in a future update and recommends governance and consent hardening to reduce exposure.

⚠️ Researchers at SquareX warn that malicious browser extensions can inject fake AI sidebars into AI-enabled browsers, including OpenAI Atlas, to steer users to attacker-controlled sites, exfiltrate data, or install backdoors. The extensions inject JavaScript to overlay a spoofed assistant and manipulate responses, enabling actions such as OAuth token harvesting or execution of reverse-shell commands. The report recommends banning unmanaged AI browsers where possible, auditing all extensions, applying strict zero-trust controls, and enforcing granular browser-native policies to block high-risk permissions and risky command execution.

🔍 Matt Kiely of Huntress Labs urges Microsoft 365 administrators to audit OAuth applications across their tenants and provides a pragmatic starting tool, Cazadora. The research shows both abused legitimate apps (Traitorware) and bespoke malicious apps (Stealthware) can persist for years and that Azure’s default user-consent model enables these abuses. Operators should check Enterprise Applications and Application Registrations for suspicious names, anomalous reply URLs (notably a localhost loopback with port 7823), and other anomalous attributes, then take remediation steps.

🔐 Token theft is now a primary vector for SaaS breaches, with stolen OAuth, API keys, and session tokens enabling attackers to bypass MFA and access integrated services. High-profile incidents from 2023 to 2025 show how a single unrotated token can compromise code, secrets, or customer data across platforms. Teams should prioritize discovery, continuous monitoring, and strict token hygiene—rotation, least-privilege scopes, approval workflows, and prompt revocation.

🛡️ Modern cloud work lives across email, files, chat, and a mesh of integrations, and attackers increasingly exploit trusted OAuth grants rather than compromising accounts directly. In early August the actor behind recent Salesforce intrusions used stolen Drift email tokens to access a small set of Google Workspace mailboxes; Google revoked the tokens and disabled the integration on August 9. Material Security advocates shifting from perimeter-only defenses to content-centric controls such as message-level MFA, OAuth governance, and automated containment to make stolen tokens far less damaging.

🔓 The Trinity of Chaos collective has opened a data leak site on the TOR network, publishing previously undisclosed records tied to past breaches and listing 39 major global firms. Resecurity says the group claims more than 1.5 billion records across 760 companies and has set an October 10 negotiation deadline. Samples reportedly contain substantial PII and appear to stem from compromised SaaS environments via stolen OAuth tokens and vishing; the FBI has issued a flash alert. The group also threatened to leverage existing litigation and regulatory complaints against Salesforce, which has denied new vulnerabilities.

🔓 The Scattered Lapsus$ Hunters gang opened a public data-leak site claiming it stole Salesforce data from dozens of global companies, including Salesforce, Toyota, FedEx, Disney/Hulu, Marriott and Google. The group set an Oct. 10 deadline for ransom payments and threatened to publish or even use stolen documents in legal actions if demands are not met. Salesforce says its investigation found no indication the platform itself was compromised and attributes the incidents to past or unsubstantiated claims. Researchers link many breaches to vishing that installs malicious connected apps and to compromised OAuth tokens in Salesloft Drift, underscoring a broader SaaS supply-chain risk.

🔒 Google Threat Intelligence Group (GTIG) tracks UNC6040, a financially motivated cluster that uses telephone-based social engineering to compromise SaaS environments, primarily targeting Salesforce. Operators trick users into authorizing malicious connected apps—often a fake Data Loader—to extract large datasets. The guidance prioritizes identity hardening, strict OAuth and API governance, device trust, and targeted logging and SIEM detections to identify rapid exfiltration and cross‑SaaS pivots.

📩 Attackers abused GitHub's notification system to send fake Y Combinator W2026 invitations by creating issues and tagging users so the platform would deliver legitimate-looking emails. The lure promised participation in a purported $15 million funding program and linked to a typo-squatted domain. That site ran obfuscated JavaScript and presented an EIP-712-style wallet verification prompt that, when signed, authorized draining transactions.

🔒 The ShinyHunters extortion group claims they stole approximately 1.5 billion Salesforce records from 760 companies by abusing compromised Salesloft Drift and Drift Email OAuth tokens exposed in a Salesloft GitHub breach. The attackers reportedly accessed Account, Contact, Case, Opportunity, and User tables and searched exfiltrated data for secrets to pivot further. Google/Mandiant and the FBI are tracking the activity as UNC6040/UNC6395, and Salesforce urges customers to enable MFA, enforce least privilege, and manage connected apps carefully.