< ciso
brief />
Tag Banner

All news with #oauth misconfiguration tag

28 articles

New phishing kits target Microsoft 365 and evade MFA

🛡️ Two new phishing kits, Jalisco and OmegaLord, are being used to target Microsoft 365 accounts and bypass multi-factor authentication. Jalisco leverages the OAuth 2.0 device-code flow to trick victims into authorizing attacker-controlled devices, while OmegaLord poses as a PDF reader to harvest credentials and phone numbers. Researchers at ReliaQuest analyzed both toolkits and found attackers quickly exfiltrate data from SaaS platforms before demanding extortion. The report recommends tightening device-registration limits and blocking device-code authentication to reduce risk.
read more →

OAuth client ID spoofing exposes cloud sign‑in blind spot

🔒 Proofpoint has identified at least two threat clusters weaponizing a technique called OAuth client ID spoofing to enumerate accounts and validate stolen credentials in Microsoft Entra ID environments while avoiding successful sign‑in telemetry. By supplying spoofed or manipulated client_id values in OAuth token requests—often using the ROPC flow—attackers can cause different AADSTS error responses that reveal whether an account exists and whether a password is correct without recording a successful login. Campaigns such as UNK_pyreq2323 and UNK_OutFlareAZ have used millions of randomized or modified client IDs across thousands of tenants to probe and lock out users, undermining per‑application detections and Conditional Access policies.
read more →

Novel OAuth Client ID Spoofing Targets Cloud

🔒 Cyber-attackers are increasingly using OAuth client ID spoofing to access cloud environments by abusing Microsoft Entra ID (formerly Azure AD). Proofpoint researchers found threat actors issuing ROPC token requests to the OAuth 2.0 endpoint, producing AADSTS error codes that reveal valid usernames and authentication controls. The technique produces blank or spoofed application IDs in Entra sign‑in logs, making detection difficult and enabling large-scale campaigns targeting millions of accounts.
read more →

RabbitMQ OAuth secret leak and authorization bypass patched

🔒 RabbitMQ has patched two critical access control flaws that could expose OAuth client secrets and leak queue/exchange metadata. Discovered by Miggo Security, CVE-2026-57219 allowed unauthenticated retrieval of OAuth configuration from an obsolete endpoint, risking full broker takeover; CVE-2026-57221 permitted authorization bypass for passive declarations, enabling reconnaissance. Users should upgrade immediately and rotate secrets.
read more →

AWS adds OAuth support for MCP Server access

🔐 AWS Sign-In now supports OAuth for connecting agents to the AWS MCP Server, enabling browser-based and headless authentication that leverages existing IAM, IAM Identity Center, and federated sign-in methods. The update includes dynamic client registration, token introspection and revocation, new CloudTrail elements, global condition keys, and a headless OAuth API. Agents discover OAuth endpoints, register via DCR, and use authorization code or client credentials flows to obtain short-lived tokens. Administrators can govern OAuth access using standard IAM policies plus OAuth-specific condition keys and monitor activity via CloudTrail.
read more →

OAuth support for the AWS MCP Server released

🔐 You can now connect AI agents directly to the AWS MCP Server using AWS Sign-In and industry-standard OAuth. Agents may authenticate without extra software and reuse existing AWS identities, sign-in methods, IAM permissions, and governance controls. Developers can authorize agents interactively via a browser or programmatically with headless flows, while administrators govern access with IAM policies and new OAuth features.
read more →

Massive Microsoft 365 password spray attack exposed

🔒 Microsoft users experienced a large-scale automated password spray campaign that targeted accounts indiscriminately, including clients of security firm Huntress. Huntress reported 81 million login attempts against its customers between June 12 and 26, with at least 78 successful compromises. Attack traffic originated from an IPv6 range tied to LSHIY LLC, which has since cut service to the offending customer. The attackers abused the OAuth ROPC flow to replay valid credentials, bypassing protections where MFA was not enforced for all cloud apps or all user groups.
read more →

Salesforce disables Klue app after OAuth breach

🔒 Salesforce has disabled the Klue Battlecards app integration after unusual activity tied to a Klue security incident on June 11, 2026, which may have allowed unauthorized access to some customer data. Klue says attackers used a compromised legacy credential to obtain OAuth tokens and access connected third-party platforms, while Salesforce emphasizes the issue stemmed from the app connection and not its platform. Klue and customers like Huntress are investigating, revoking tokens, and remediating impacts.
read more →

ROADtools misuse in cloud identity attacks

🔍 ROADtools is an open-source Python toolkit for red teams and researchers that attackers have repurposed to target Microsoft Entra ID. It enumerates tenants, registers devices, and acquires or manipulates OAuth2/OpenID Connect tokens while using legitimate Microsoft APIs and configurable request attributes to evade detection. Nation-state actors have used ROADtools for discovery, persistence and defense evasion, and Palo Alto Networks outlines detection queries, mitigation recommendations and protections available via Cortex Cloud, Cortex XDR and Unit 42 services.
read more →

OAuth Backdoor: Persistent Tokens and Enterprise Risk

🔒 Every AI tool, workflow automation, or productivity app that employees connect to Google or Microsoft can leave a persistent OAuth token that does not expire, is not centrally tracked, and bypasses perimeter controls and MFA. Material Security's research shows many organizations are aware but lack effective remediation: some do nothing and others rely on manual spreadsheets. The article argues for continuous behavioral monitoring, blast-radius assessment, and graduated automated responses to revoke risky tokens before they’re weaponized.
read more →

Lessons from the Vercel Breach: Shadow AI & OAuth Risk

🔒 The Vercel incident highlights how employee-installed AI apps can create persistent OAuth bridges between core enterprise systems and third parties, turning shadow AI into a critical attack vector. In the Vercel case a trial use of Context.ai granted access to Google Workspace, and when Context.ai was breached attackers leveraged stored tokens to pivot into Vercel. The piece urges admins to adopt default-deny consent, routinely audit integrations, and extend controls beyond primary clouds to manage OAuth sprawl.
read more →

Curity Proposes Runtime Authorization for AI Agents

🔒 Curity announced Access Intelligence, an extension to its Identity Server IAM platform designed to secure rapidly proliferating autonomous AI agents. Rather than rely on static, pre-granted permissions, the company uses Token Intelligence to embed an agent's declared purpose and intent in OAuth tokens and issues short-lived, action-specific tokens at runtime. The system can require human approval for high-risk tasks, is deployed as a self-hosted microservice, and centralizes token validation to isolate unregistered or shadow agents.
read more →

Cloudflare Adds Managed OAuth to Protect Agent Access

🔐 Cloudflare is launching Managed OAuth for Cloudflare Access in open beta, enabling agents that speak OAuth 2.0 to authenticate to internal apps with a single click. When enabled, Access acts as the authorization server and uses the www-authenticate header to point agents to the /.well-known/oauth-authorization-server. Agents can dynamically register (RFC 7591), perform PKCE (RFC 7636), and receive JWTs to act on behalf of users, removing the need for static service accounts.
read more →

n8n OAuth misconfig allows stored XSS, credential risk

⚠️ Researchers at Imperva disclosed a configuration weakness in the OAuth credential handling of n8n that fails to sanitize the authorization URL, enabling a stored XSS payload to be saved in the application database. An attacker with access to a victim's n8n instance can replace a legitimate URL with malicious JavaScript that executes when other users interact with the same credential. Because the payload is persistent, it can expose multiple OAuth credentials and enable broader system compromise. The flaw was fixed in n8n v2.6.4 on February 6.
read more →

Microsoft Warns OAuth Redirect Abuse Targets Government Orgs

🔒 Microsoft warned on Mar 3, 2026 of phishing campaigns that leverage OAuth redirect URLs to bypass email and browser defenses and deliver malware to government and public-sector targets without directly stealing tokens. Attackers register malicious applications and manipulate identity providers like Entra ID and Google Workspace to craft redirect links sent in emails or embedded in PDFs. The delivery chain uses ZIP -> LNK-triggered PowerShell -> MSI -> DLL sideloading to execute in-memory payloads and contact external C2; some campaigns also used AitM kits such as EvilProxy. Microsoft removed identified malicious apps and recommends limiting consent, auditing app permissions, and removing unused or overprivileged applications.
read more →

OAuth Redirect Abuse Enables Phishing and Malware Delivery

🔒Microsoft Defender researchers observed phishing campaigns that abused OAuth redirection mechanics to route victims from trusted identity domains to attacker-controlled hosts. Attackers used silent authorization requests (for example prompt=none and intentionally invalid scopes) and embedded target addresses in the state parameter to trigger error redirects that landed users on malicious pages or download hosts without yielding tokens. Microsoft flagged correlated activity across email, identity, and endpoints; Microsoft Entra disabled the identified applications, though related activity persists and requires continued monitoring.
read more →

Device-Code Phishing Uses OAuth to Bypass Microsoft 365

🔐 Researchers at KnowBe4 discovered a campaign aimed at North American businesses that tricks employees into entering a “Secure Authorization” code on a legitimate Microsoft 365 login page. Unknown to victims, the code actually authorizes an attacker-controlled device through the OAuth 2.0 Device Authorization Grant, issuing access and refresh tokens that grant persistent access to Outlook, Teams, OneDrive and other services. Recommended mitigations include allowlisting OAuth apps, disabling device-code flow in Entra conditional access where feasible, auditing integrations, and ongoing employee awareness training.
read more →

Filling Common Gaps in Google Workspace Security Posture

🔒 Security teams at fast-growing companies must secure collaboration platforms without slowing the business. This piece highlights common native gaps in Google Workspace—from BEC and targeted phishing to legacy protocol exposure and weak OAuth controls—and lists immediate hardening steps for Gmail, access, and data protection. It also outlines how Material augments Workspace with advanced email defense, context-aware account monitoring, and automated data protection.
read more →

OAuth device-code abuse enables MFA bypass in attacks

🔒 Security firm Proofpoint reports attackers are abusing the OAuth 2.0 device-code flow to bypass MFA. Scammers trick users into entering one-time device codes into malicious Microsoft authentication links, allowing the attackers to capture codes and gain full access to the victim's Microsoft 365 accounts and content. Proofpoint observed both Russian and Chinese threat actors using this technique.
read more →

Dynamic AI-SaaS Security: Guardrails as Copilots Scale

🔒 Within the past year AI copilots and agents have been embedded across major SaaS like Zoom, Slack, Microsoft 365, Salesforce, and ServiceNow, creating dynamic cross-app data flows that traditional governance struggles to monitor. A dynamic AI-SaaS security layer functions as an adaptive guardrail over OAuth grants and integrations, logging prompts and file access, detecting permission drift in real time, and blocking risky actions. Platforms such as Reco aim to deliver continuous visibility, end-to-end auditability, and automated policy enforcement so organizations can adopt copilots without losing control.
read more →