Bypassing SEGs With an OAuth App Phishing Attack: A Real-World Example

In our first article for this series, we introduced how secure email gateways (SEGs) do a decent job protecting organizations from known threats but have become ineffective against modern attack techniques like multi-step phishing.

In this post, we look at another frequently-seen modern phishing attack: the OAuth Phishing Attack. An OAuth application uses an open-standard authorization protocol that allows you to grant access to protected resources in one application to other applications through a token, instead of using your login credentials. In this attack, the threat actors attempt to install third-party OAuth applications into target accounts so they can gain access to sensitive data and control the company’s email infrastructure.

In the OAuth app phishing example below, the attacker follows the normal SEG bypass formula:

• Compromise a legitimate email account.

• Abuse the compromised account by sending emails from it.

• Host the first stage of the payload on an otherwise-legitimate content platform. In this case, they use Canva.

Where this differs from the multi-step phishing example in our last article is that, rather than phishing credentials, the attacker prompts the victim to install an enterprise application. If successful, the proverbial keys to the tenant equip the attacker with API permissions that allow them to carry out nefarious activities.

The email bypasses traditional checks by the SEG because it is sent from prod.outlook.com servers and thus passes SPF, DKIM, and DMARC authentication for the sending domain.

When the recipient receives the message from what they presume is a trusted vendor they click on the “View Shared Files” button to view the invoice, which sends them to a real Canva page. Because a link to Canva (a popular free document templatizing app) is not an inherently malicious link, neither the SEG nor a diligent employee is likely to understand that the Canva site is actually hosting a second (malicious) link.

Clicking the “CLICK HERE TO DOWNLOAD/PREVIEW SHARED DOCUMENTS” button will take the victim to another URL, which will automatically redirect twice, then ask them to log into their Microsoft account, and allow an OAuth application to install the app.

First URL:

First Redirect:

Second Redirect and Final Page:

After the user logs into their Microsoft account, they will be asked to grant consent to an enterprise application, which, depending on the application, will have some (if not all) of the following permissions:

Microsoft Graph - Mail.ReadWrite
Microsoft Graph - Mail.Read.Shared
Microsoft Graph - MailboxSettings.ReadWrite
Microsoft Graph - Calendars.ReadWrite
Microsoft Graph - Directory_AccessAsUser.All
Microsoft Graph - EWS.AccessAsUser.All
Microsoft Graph - Profile
Microsoft Graph - Offline_Access
Office 365 Exchange Online - User.Read.All
Office 365 Exchange Online - Mail.ReadWrite
Office 365 Exchange Online - MailboxSettings.ReadWrite
Office 365 Exchange Online - EAS.AccessAsUser.All
Office 365 Exchange Online - Exchange.Manage

These permissions would be restricted to a single user account, unless the victim happens to be an administrator or has excessive permissions. In that case, the application could be granted access to all users in the M365 tenant.

Abnormal uses advanced behavioral AI to detect threats that bypass traditional SEGs. With our API architecture, Abnormal is uniquely positioned to ingest signals—establishing a known baseline from which to detect anomalies.

In this case, we identified a number of anomalies. A summary of a few of them can be seen below:

Beyond detecting this email-borne threat itself, Abnormal Security has recently introduced enhanced security capabilities, providing visibility and control into your SaaS security posture across tenant configurations; third-party add-ins/plug-ins; and your employee's roles, permissions, and activities.

The Knowledge Bases—TenantBase, AppBase, and PeopleBase—show raw data and the current state of your cloud environment:

The posture features show changes as they happen across your tenant:

Referencing the attack above, if the OAuth application had been available to and installed by the user, Abnormal Security would further combat such a threat by showing the following details:

New Application Installed:

Relevant Application Posture Changes:

In this case, we see a newly-installed enterprise application with numerous permissions—specifically Mail.ReadWrite—in this part of the image.

OAuth phishing attacks, like the one illustrated above, bypass traditional defenses including the SEG by sending emails from a trusted email account and engaging recipients with a link to access content on an otherwise-legitimate content platform. From this file-sharing site, recipients are then redirected to grant access to an app with excessive permissions so they can view the content shared.

With Abnormal’s new Knowledge Bases—TenantBase, AppBase, and PeopleBase—users now have insight into permission changes across their cloud email environment, allowing for advanced protection against these types of modern attack methods.

The next real-world attack type in our series will examine threats that seek victim engagement outside of email. We’ll showcase how Abnormal detects and remediates these attacks, and why organizations worldwide are seeing 278% ROI with Abnormal.

Interested in learning more about how Abnormal can supplement or replace your SEG to stop OAuth app phishing attacks and other advanced threats?