Jai Vijayan, Contributing Writer March 17, 2025
A trio of ongoing campaigns have highlighted once again the continued popularity among cybercriminals of malicious OAuth apps as a go-to attack method.
In one wave of recent attacks, threat actors have been using bogus Adobe Acrobat and Adobe Drive logos on malicious OAuth apps to steer targeted users straight to malware-laden or Microsoft 365 credential phishing sites when clicked on. Another scammer is pulling the same trick but with a DocuSign look-alike app that funnels users to a credential phishing page. And in a third campaign, an attacker is going after developers by hitting thousands of GitHub repositories with a bogus OAuth app disguised as a “security alert.” Anyone who clicks the fake alert unknowingly grants full access to their repositories.
A Long Pattern of OAuth Cyber Abuse
The campaigns fit a long pattern of attackers using rogue OAuth apps masquerading as a legitimate service to trick users into granting them excessive permissions. Attackers have long favored the approach because it allows them to bypass traditional security controls, maintain persistent access to user accounts, move laterally, and harvest sensitive data without needing to steal passwords directly. Security researchers also consider malicious OAuth apps as relatively easy to set up and allowing attackers to execute a range of actions using legitimate API calls rather than easier to detect malicious exploits.
What makes the phishing attacks, involving the fake Adobe and DocuSign apps, somewhat different from other malicious OAuth campaigns, is how the attackers are leveraging them, according to researchers at Proofpoint’s Threat Insight team who spotted the campaigns recently.
In typical OAuth campaigns, the malicious app itself is used to directly exfiltrate the victim’s data or take actions using the victim’s account. But with the recent attacks, “these malicious OAuth apps serve as gateways to the phishing sites,” says one Proofpoint researcher who did not want to be named, in comments to Dark Reading. “Specifically, the threat actors are using Microsoft’s credibility to redirect the victim to a phishing page.”
The attackers behind both the Adobe and DocuSign campaigns have taken care to ensure that the permissions their malicious OAuth apps request — such as profile, email, and OpenID — are limited in scope, and therefore unlikely to be flagged as suspicious, the researcher says. “The purpose appears to be account takeover, which can lead to a variety of post-compromise objectives.”
Article (https://www.darkreading.com/application-security/oauth-attacks-target-microsoft-365-github?_mc=NL_DR_EDT__20250320&cid=NL_DR_EDT__20250320&sp_aid=128689&elq_cid=34964379&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&utm_source=eloqua&utm_medium=email&utm_campaign=DR_NL_Dark%20Reading%20Weekly%20NEW_03.20.25&sp_cid=57260&utm_content=DR_NL_Dark%20Reading%20Weekly%20NEW_03.20.25)
Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishing Simulation & Cyber Security Training
“Where Service and Technical Skills Count”