Bypassing SEGs With an OAuth App Phishing Attack: A Real-World Example

Discover how Abnormal detects the advanced OAuth Phishing attacks that bypass traditional security email gateways.
February 23, 2023

In our first article for this series, we introduced how secure email gateways (SEGs) do a decent job protecting organizations from known threats but have become ineffective against modern attack techniques like multi-step phishing.

In this post, we look at another frequently-seen modern phishing attack: the OAuth Phishing Attack. An OAuth application uses an open-standard authorization protocol that allows you to grant access to protected resources in one application to other applications through a token, instead of using your login credentials. In this attack, the threat actors attempt to install third-party OAuth applications into target accounts so they can gain access to sensitive data and control the company’s email infrastructure.

How OAuth App Phishing Attacks Bypass the SEG

In the OAuth app phishing example below, the attacker follows the normal SEG bypass formula:

  • Compromise a legitimate email account.

  • Abuse the compromised account by sending emails from it.

  • Host the first stage of the payload on an otherwise-legitimate content platform. In this case, they use Canva.

Where this differs from the multi-step phishing example in our last article is that, rather than phishing credentials, the attacker prompts the victim to install an enterprise application. If successful, the proverbial keys to the tenant equip the attacker with API permissions that allow them to carry out nefarious activities.

Oauth QM11

The email bypasses traditional checks by the SEG because it is sent from servers and thus passes SPF, DKIM, and DMARC authentication for the sending domain.


When the recipient receives the message from what they presume is a trusted vendor they click on the “View Shared Files” button to view the invoice, which sends them to a real Canva page. Because a link to Canva (a popular free document templatizing app) is not an inherently malicious link, neither the SEG nor a diligent employee is likely to understand that the Canva site is actually hosting a second (malicious) link.


Clicking the “CLICK HERE TO DOWNLOAD/PREVIEW SHARED DOCUMENTS” button will take the victim to another URL, which will automatically redirect twice, then ask them to log into their Microsoft account, and allow an OAuth application to install the app.

First URL:


First Redirect:


Second Redirect and Final Page:


After the user logs into their Microsoft account, they will be asked to grant consent to an enterprise application, which, depending on the application, will have some (if not all) of the following permissions:

Microsoft Graph - Mail.ReadWrite
Microsoft Graph - Mail.Read.Shared
Microsoft Graph - MailboxSettings.ReadWrite
Microsoft Graph - Calendars.ReadWrite
Microsoft Graph - Directory_AccessAsUser.All
Microsoft Graph - EWS.AccessAsUser.All
Microsoft Graph - Profile
Microsoft Graph - Offline_Access
Office 365 Exchange Online - User.Read.All
Office 365 Exchange Online - Mail.ReadWrite
Office 365 Exchange Online - MailboxSettings.ReadWrite
Office 365 Exchange Online - EAS.AccessAsUser.All
Office 365 Exchange Online - Exchange.Manage

These permissions would be restricted to a single user account, unless the victim happens to be an administrator or has excessive permissions. In that case, the application could be granted access to all users in the M365 tenant.

How Abnormal Protects You From OAuth App Phishing Attacks

Abnormal uses advanced behavioral AI to detect threats that bypass traditional SEGs. With our API architecture, Abnormal is uniquely positioned to ingest signals—establishing a known baseline from which to detect anomalies.

In this case, we identified a number of anomalies. A summary of a few of them can be seen below:


Beyond detecting this email-borne threat itself, Abnormal Security has recently introduced enhanced security capabilities, providing visibility and control into your SaaS security posture across tenant configurations; third-party add-ins/plug-ins; and your employee's roles, permissions, and activities.

The Knowledge Bases—TenantBase, AppBase, and PeopleBase—show raw data and the current state of your cloud environment:


The posture features show changes as they happen across your tenant:


Referencing the attack above, if the OAuth application had been available to and installed by the user, Abnormal Security would further combat such a threat by showing the following details:

New Application Installed:


Relevant Application Posture Changes:


In this case, we see a newly-installed enterprise application with numerous permissions—specifically Mail.ReadWrite—in this part of the image.

A Modern Solution for Modern Attacks

OAuth phishing attacks, like the one illustrated above, bypass traditional defenses including the SEG by sending emails from a trusted email account and engaging recipients with a link to access content on an otherwise-legitimate content platform. From this file-sharing site, recipients are then redirected to grant access to an app with excessive permissions so they can view the content shared.

With Abnormal’s new Knowledge Bases—TenantBase, AppBase, and PeopleBase—users now have insight into permission changes across their cloud email environment, allowing for advanced protection against these types of modern attack methods.

The next real-world attack type in our series will examine threats that seek victim engagement outside of email. We’ll showcase how Abnormal detects and remediates these attacks, and why organizations worldwide are seeing 278% ROI with Abnormal.

Interested in learning more about how Abnormal can supplement or replace your SEG to stop OAuth app phishing attacks and other advanced threats?

Schedule a Demo
Bypassing SEGs With an OAuth App Phishing Attack: A Real-World Example

See Abnormal in Action

Schedule a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
Integrates Insights Reporting 09 08 22

Related Posts

B 3 21 23 CFO
Bill Losch of Okta discusses the macroeconomic environment and how CISOs can prepare for budget discussions with their CFOs.
Read More
B Business Email Compromise Response
Knowing what to do after receiving a business email compromise attack is essential for preventing costly consequences. Learn how to respond to BEC attacks.
Read More
B 36 M
Vendor email compromise is expensive. See how Abnormal protected our customer from a $36 million invoice fraud attack.
Read More
B Keeping VIP Emails Safe
Learn why executives are popular targets for account takeovers, the consequences of a successful takeover, and how organizations can prevent these attacks.
Read More
B TAG Cyber Future of Cloud Email Security
In the final post of our series with Ed Amoroso, the TAG Cyber CEO discusses some of the defensive and offensive trends for cloud email.
Read More
B SVB Closure Cybersecurity Threats
The Silicon Valley Bank (SVB) closure has created opportunities for threat actors to launch more convincing email attacks. Here's how to lower your risk.
Read More