All news with #saas app abuse tag

🔒 Every AI tool, workflow automation, or productivity app that employees connect to Google or Microsoft can leave a persistent OAuth token that does not expire, is not centrally tracked, and bypasses perimeter controls and MFA. Material Security's research shows many organizations are aware but lack effective remediation: some do nothing and others rely on manual spreadsheets. The article argues for continuous behavioral monitoring, blast-radius assessment, and graduated automated responses to revoke risky tokens before they’re weaponized.

🔒 Cybercrime clusters Cordial Spider and Snarky Spider are executing fast, low-footprint extortion campaigns that rely on vishing and SSO adversary-in-the-middle pages to harvest credentials and MFA codes. After registering devices and suppressing notification emails, attackers pivot directly into SaaS platforms such as Google Workspace, HubSpot, SharePoint, and Salesforce to locate and exfiltrate high-value files. Researchers note heavy use of living-off-the-land techniques and residential proxies to minimize detection.

🔒 The Vercel incident highlights how employee-installed AI apps can create persistent OAuth bridges between core enterprise systems and third parties, turning shadow AI into a critical attack vector. In the Vercel case a trial use of Context.ai granted access to Google Workspace, and when Context.ai was breached attackers leveraged stored tokens to pivot into Vercel. The piece urges admins to adopt default-deny consent, routinely audit integrations, and extend controls beyond primary clouds to manage OAuth sprawl.

🔒 A new report from LayerX warns that AI browser extensions are an unmonitored consumption channel that bypasses DLP and SaaS logs, granting direct access to page content, inputs, cookies, and sessions. AI extensions are significantly more likely to contain CVEs and to request scripting, cookie, or tab-manipulation permissions, and they frequently expand privileges after installation. The report urges continuous extension inventories, behavior-based controls, and stricter trust criteria to reduce exposure without hindering productivity.

🔍 William Largent frames threat hunting as a discipline akin to strategy games, where pattern recognition, prediction, and spotting feints reveal an adversary's intent. Cisco Talos warns of a growing Platform-as-a-Proxy (PaaP) tactic in which attackers weaponize legitimate SaaS notification pipelines such as GitHub and Jira to deliver authenticated phishing that circumvents SPF, DKIM, and DMARC. Because users habitually trust system-generated alerts, defenders should adopt zero‑trust controls, ingest SaaS API logs into SIEMs, and require out‑of‑band verification for high-risk actions.

🔍 Attackers abused legitimate SaaS platforms to generate and distribute authentic-looking, phone-based scam lures by misusing native platform functionality. Rather than compromising services or spoofing domains, the campaign leveraged the trust and authentication posture of vendors to send approximately 133,260 phishing emails, impacting 20,049 organizations. This approach increased delivery success and made detection far more difficult for defenders.

📧 A fresh global spam wave is again exploiting unsecured Zendesk support portals to send automated 'Activate account' and other confirmation emails to large numbers of recipients. Messages appear to originate from legitimate company Zendesk instances and arrive in rapid bursts, sometimes hundreds per inbox, bypassing conventional filters. The activity mirrors a January campaign and suggests exposed ticket forms remain vulnerable.

📞 Google-owned Mandiant reported an expansion of ShinyHunters-style extortion activity that combines advanced voice phishing with fake credential-harvesting sites to capture SSO credentials and MFA codes to access cloud SaaS environments. The team is tracking multiple clusters (UNC6661, UNC6671, UNC6240) and observed attackers impersonating IT staff, registering attacker-controlled MFA devices, and exfiltrating data from services such as SharePoint and OneDrive. Mandiant recommends strengthening help-desk verification, improving logging and detection, restricting weak authentication methods, and adopting phishing-resistant options like FIDO2 or passkeys.

🔐 Mandiant is tracking a notable expansion of ShinyHunters-branded extortion campaigns that use evolved vishing and victim-branded credential harvesting to compromise SSO credentials and enroll unauthorized devices into corporate MFA. These intrusions exploit social engineering — not product vulnerabilities — to pivot into cloud SaaS environments and perform bulk exports and administrative abuse. The post provides prioritized containment, hardening, logging, and detection guidance, and urges adoption of phishing-resistant MFA such as FIDO2 security keys and passkeys.

📧 Attackers abused unverified ticket submission on Zendesk to trigger automated confirmation emails to thousands of addresses worldwide, producing a massive spam wave that began on January 18. The messages — often bizarre, alarming, or rendered with decorative Unicode — originated from legitimate company support systems, allowing them to bypass spam filters. Affected vendors such as Discord, Tinder, and Dropbox confirmed the incident and advised recipients to ignore the emails while platforms implement mitigations.

🔒 Researchers at Socket uncovered a coordinated campaign in which five Chrome extensions, marketed as productivity tools, clandestinely stole session authentication tokens and enabled full account takeover. More than 2,300 users installed the malicious add-ons, which targeted enterprise HR and ERP platforms such as Workday, NetSuite and SuccessFactors. Some extensions exfiltrated cookies every 60 seconds, while others blocked admin and security pages to prevent incident response. Removal requests have been filed with the Chrome Web Store security team.

🔒 Security researchers at Socket have identified a set of malicious Google Chrome extensions that targeted major HR and ERP platforms including Workday, Netsuite and SAP SuccessFactors. The extensions, which masqueraded as productivity tools, stole authentication cookies and session tokens, uploading them to a command-and-control server and revisiting targets every 60 seconds. More than 2,300 users downloaded the extensions from the Chrome Web Store before they were removed. Socket recommends using Chrome Enterprise extension allowlists and monitoring for extensions with similar platform targeting and permission requests.

🔒 A cluster of five malicious Chrome extensions posed as productivity tools but exfiltrated session cookies to attacker-controlled infrastructure, enabling account takeover. Researchers from Socket.dev identified variants such as DataByCloud Access, Data By Cloud 1/2, Software Access and Tool Access 11 targeting HR and ERP platforms like Workday, NetSuite and SuccessFactors. Some extensions stole cookies as often as every 60 seconds and used cookie injection (e.g., chrome.cookies.set()) while others blocked admin security pages, hampering incident response.

⚠ A malicious Chrome extension named MEXC API Automator (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh) has been found on the Chrome Web Store and is designed to create and steal API keys for the MEXC exchange. Published Sept 1, 2025 by a developer using the handle "jorjortan142," the add-on programmatically generates API keys with withdrawal permissions and hides the enabled permission in the UI. The extension injects a content script on MEXC's API management page, captures the Access and Secret keys when created, and exfiltrates them via HTTPS to a hard-coded Telegram bot. Socket researcher Kirill Boychenko reported 29 downloads and warns the threat remains active as long as stolen keys are valid.

🔒 A sophisticated adversary exploited legitimate OAuth tokens issued to Salesloft's Drift chatbot integration with Salesforce, using the connection to silently exfiltrate customer data between August 8–18, 2025, according to Google Threat Intelligence Group. The campaign, attributed to UNC6395, leveraged trust in third-party integrations and service-to-service tokens to maintain covert access. Organizations should reassess OAuth governance, entitlement controls, and logging for SaaS integrations to reduce exposure.

📚 Check Point researchers uncovered a large-scale phishing campaign that abused Google Classroom to deliver more than 115,000 malicious emails in five coordinated waves over a single week. Attackers used fake classroom invitations carrying unrelated commercial offers to trick recipients across Europe, North America, the Middle East and Asia. The campaign targeted roughly 13,500 organizations and highlights risks when trusted collaboration tools are weaponized.