Bypassing SEGs With an OAuth App Phishing Attack: A Real-World Example

Discover how Abnormal detects the advanced OAuth Phishing attacks that bypass traditional security email gateways.
February 23, 2023

In our first article for this series, we introduced how secure email gateways (SEGs) do a decent job protecting organizations from known threats but have become ineffective against modern attack techniques like multi-step phishing.

In this post, we look at another frequently-seen modern phishing attack: the OAuth Phishing Attack. An OAuth application uses an open-standard authorization protocol that allows you to grant access to protected resources in one application to other applications through a token, instead of using your login credentials. In this attack, the threat actors attempt to install third-party OAuth applications into target accounts so they can gain access to sensitive data and control the company’s email infrastructure.

How OAuth App Phishing Attacks Bypass the SEG

In the OAuth app phishing example below, the attacker follows the normal SEG bypass formula:

  • Compromise a legitimate email account.

  • Abuse the compromised account by sending emails from it.

  • Host the first stage of the payload on an otherwise-legitimate content platform. In this case, they use Canva.

Where this differs from the multi-step phishing example in our last article is that, rather than phishing credentials, the attacker prompts the victim to install an enterprise application. If successful, the proverbial keys to the tenant equip the attacker with API permissions that allow them to carry out nefarious activities.

Oauth QM11

The email bypasses traditional checks by the SEG because it is sent from servers and thus passes SPF, DKIM, and DMARC authentication for the sending domain.


When the recipient receives the message from what they presume is a trusted vendor they click on the “View Shared Files” button to view the invoice, which sends them to a real Canva page. Because a link to Canva (a popular free document templatizing app) is not an inherently malicious link, neither the SEG nor a diligent employee is likely to understand that the Canva site is actually hosting a second (malicious) link.


Clicking the “CLICK HERE TO DOWNLOAD/PREVIEW SHARED DOCUMENTS” button will take the victim to another URL, which will automatically redirect twice, then ask them to log into their Microsoft account, and allow an OAuth application to install the app.

First URL:


First Redirect:


Second Redirect and Final Page:


After the user logs into their Microsoft account, they will be asked to grant consent to an enterprise application, which, depending on the application, will have some (if not all) of the following permissions:

Microsoft Graph - Mail.ReadWrite
Microsoft Graph - Mail.Read.Shared
Microsoft Graph - MailboxSettings.ReadWrite
Microsoft Graph - Calendars.ReadWrite
Microsoft Graph - Directory_AccessAsUser.All
Microsoft Graph - EWS.AccessAsUser.All
Microsoft Graph - Profile
Microsoft Graph - Offline_Access
Office 365 Exchange Online - User.Read.All
Office 365 Exchange Online - Mail.ReadWrite
Office 365 Exchange Online - MailboxSettings.ReadWrite
Office 365 Exchange Online - EAS.AccessAsUser.All
Office 365 Exchange Online - Exchange.Manage

These permissions would be restricted to a single user account, unless the victim happens to be an administrator or has excessive permissions. In that case, the application could be granted access to all users in the M365 tenant.

How Abnormal Protects You From OAuth App Phishing Attacks

Abnormal uses advanced behavioral AI to detect threats that bypass traditional SEGs. With our API architecture, Abnormal is uniquely positioned to ingest signals—establishing a known baseline from which to detect anomalies.

In this case, we identified a number of anomalies. A summary of a few of them can be seen below:


Beyond detecting this email-borne threat itself, Abnormal Security has recently introduced enhanced security capabilities, providing visibility and control into your SaaS security posture across tenant configurations; third-party add-ins/plug-ins; and your employee's roles, permissions, and activities.

The Knowledge Bases—TenantBase, AppBase, and PeopleBase—show raw data and the current state of your cloud environment:


The posture features show changes as they happen across your tenant:


Referencing the attack above, if the OAuth application had been available to and installed by the user, Abnormal Security would further combat such a threat by showing the following details:

New Application Installed:


Relevant Application Posture Changes:


In this case, we see a newly-installed enterprise application with numerous permissions—specifically Mail.ReadWrite—in this part of the image.

A Modern Solution for Modern Attacks

OAuth phishing attacks, like the one illustrated above, bypass traditional defenses including the SEG by sending emails from a trusted email account and engaging recipients with a link to access content on an otherwise-legitimate content platform. From this file-sharing site, recipients are then redirected to grant access to an app with excessive permissions so they can view the content shared.

With Abnormal’s new Knowledge Bases—TenantBase, AppBase, and PeopleBase—users now have insight into permission changes across their cloud email environment, allowing for advanced protection against these types of modern attack methods.

The next real-world attack type in our series will examine threats that seek victim engagement outside of email. We’ll showcase how Abnormal detects and remediates these attacks, and why organizations worldwide are seeing 278% ROI with Abnormal.

Interested in learning more about how Abnormal can supplement or replace your SEG to stop OAuth app phishing attacks and other advanced threats?

Schedule a Demo
Bypassing SEGs With an OAuth App Phishing Attack: A Real-World Example

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B Mr Wonderful Talks AI
Explore the future of AI and cybersecurity and learn why prioritizing security investments is crucial with Kevin O’Leary of Shark Tank fame.
Read More
B 1500x1500 MKT468a Open Graph Images for Phishing Subjects Blog
Discover the most engaging phishing email subjects, according to Abnormal data, and how to protect your organization from these scams.
Read More
B Threat Report BEC VEC Blog
Our H1 2024 Email Threat Report revealed significant year-over-year increases in both business email compromise and vendor email compromise. Learn more.
Read More
B 2 7 24 Product Update
Abnormal product enhancements improve detection efficacy, reporting on QR code attacks, productivity, and protection from account takeover.
Read More
B 1500x1500 Quishing Stats Blog 02 05 24
Today we released our H1 2024 Email Threat Report, which examines the threat landscape and dives into the latest evolution in phishing: QR code attacks.
Read More
B 1 30 23 Microsoft ATO
A recent nation-state actor attack by the Russian-backed threat group Midnight Blizzard infiltrated Microsoft. Discover how Abnormal can protect you from account takeovers in real time.
Read More