Bypassing SEGs With an OAuth App Phishing Attack: A Real-World Example

Discover how Abnormal detects the advanced OAuth Phishing attacks that bypass traditional security email gateways.
February 23, 2023

In our first article for this series, we introduced how secure email gateways (SEGs) do a decent job protecting organizations from known threats but have become ineffective against modern attack techniques like multi-step phishing.

In this post, we look at another frequently-seen modern phishing attack: the OAuth Phishing Attack. An OAuth application uses an open-standard authorization protocol that allows you to grant access to protected resources in one application to other applications through a token, instead of using your login credentials. In this attack, the threat actors attempt to install third-party OAuth applications into target accounts so they can gain access to sensitive data and control the company’s email infrastructure.

How OAuth App Phishing Attacks Bypass the SEG

In the OAuth app phishing example below, the attacker follows the normal SEG bypass formula:

  • Compromise a legitimate email account.

  • Abuse the compromised account by sending emails from it.

  • Host the first stage of the payload on an otherwise-legitimate content platform. In this case, they use Canva.

Where this differs from the multi-step phishing example in our last article is that, rather than phishing credentials, the attacker prompts the victim to install an enterprise application. If successful, the proverbial keys to the tenant equip the attacker with API permissions that allow them to carry out nefarious activities.

Oauth QM11

The email bypasses traditional checks by the SEG because it is sent from servers and thus passes SPF, DKIM, and DMARC authentication for the sending domain.


When the recipient receives the message from what they presume is a trusted vendor they click on the “View Shared Files” button to view the invoice, which sends them to a real Canva page. Because a link to Canva (a popular free document templatizing app) is not an inherently malicious link, neither the SEG nor a diligent employee is likely to understand that the Canva site is actually hosting a second (malicious) link.


Clicking the “CLICK HERE TO DOWNLOAD/PREVIEW SHARED DOCUMENTS” button will take the victim to another URL, which will automatically redirect twice, then ask them to log into their Microsoft account, and allow an OAuth application to install the app.

First URL:


First Redirect:


Second Redirect and Final Page:


After the user logs into their Microsoft account, they will be asked to grant consent to an enterprise application, which, depending on the application, will have some (if not all) of the following permissions:

Microsoft Graph - Mail.ReadWrite
Microsoft Graph - Mail.Read.Shared
Microsoft Graph - MailboxSettings.ReadWrite
Microsoft Graph - Calendars.ReadWrite
Microsoft Graph - Directory_AccessAsUser.All
Microsoft Graph - EWS.AccessAsUser.All
Microsoft Graph - Profile
Microsoft Graph - Offline_Access
Office 365 Exchange Online - User.Read.All
Office 365 Exchange Online - Mail.ReadWrite
Office 365 Exchange Online - MailboxSettings.ReadWrite
Office 365 Exchange Online - EAS.AccessAsUser.All
Office 365 Exchange Online - Exchange.Manage

These permissions would be restricted to a single user account, unless the victim happens to be an administrator or has excessive permissions. In that case, the application could be granted access to all users in the M365 tenant.

How Abnormal Protects You From OAuth App Phishing Attacks

Abnormal uses advanced behavioral AI to detect threats that bypass traditional SEGs. With our API architecture, Abnormal is uniquely positioned to ingest signals—establishing a known baseline from which to detect anomalies.

In this case, we identified a number of anomalies. A summary of a few of them can be seen below:


Beyond detecting this email-borne threat itself, Abnormal Security has recently introduced enhanced security capabilities, providing visibility and control into your SaaS security posture across tenant configurations; third-party add-ins/plug-ins; and your employee's roles, permissions, and activities.

The Knowledge Bases—TenantBase, AppBase, and PeopleBase—show raw data and the current state of your cloud environment:


The posture features show changes as they happen across your tenant:


Referencing the attack above, if the OAuth application had been available to and installed by the user, Abnormal Security would further combat such a threat by showing the following details:

New Application Installed:


Relevant Application Posture Changes:


In this case, we see a newly-installed enterprise application with numerous permissions—specifically Mail.ReadWrite—in this part of the image.

A Modern Solution for Modern Attacks

OAuth phishing attacks, like the one illustrated above, bypass traditional defenses including the SEG by sending emails from a trusted email account and engaging recipients with a link to access content on an otherwise-legitimate content platform. From this file-sharing site, recipients are then redirected to grant access to an app with excessive permissions so they can view the content shared.

With Abnormal’s new Knowledge Bases—TenantBase, AppBase, and PeopleBase—users now have insight into permission changes across their cloud email environment, allowing for advanced protection against these types of modern attack methods.

The next real-world attack type in our series will examine threats that seek victim engagement outside of email. We’ll showcase how Abnormal detects and remediates these attacks, and why organizations worldwide are seeing 278% ROI with Abnormal.

Interested in learning more about how Abnormal can supplement or replace your SEG to stop OAuth app phishing attacks and other advanced threats?

Schedule a Demo
Bypassing SEGs With an OAuth App Phishing Attack: A Real-World Example

See Abnormal in Action

Schedule a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
Integrates Insights Reporting 09 08 22

Related Posts

B Health Care
Email attacks like BEC against the healthcare industry are on the rise in 2023. Protect yourself with sophisticated cloud-native email security.
Read More
B AI Series
Discover how Abnormal's advanced AI models are used to detect abnormalities in email behavior and protect organizations from the most sophisticated email attacks.
Read More
B Insights from Clemson University CISO
John Hoyt, CISO at Clemson University, shares his take on the unique cybersecurity challenges of higher education and how Abnormal Security can help.
Read More
B Nigerian Prince
Scams about the Nigerian Prince that promise millions have been around for decades. But they are transitioning, now using ChatGPT and similar tools to seem more convincing.
Read More
B 9 12 23 ATO
Learn why account takeovers are successful, how to detect and remediate them, and how to better protect yourself from cybercriminals in the future.
Read More
B 9 8 23 Incident Response
An effective incident response plan is crucial to minimizing the effects of an email attack and preventing future breaches.
Read More