chat
expand_more

Bypassing SEGs With an OAuth App Phishing Attack: A Real-World Example

Discover how Abnormal detects the advanced OAuth Phishing attacks that bypass traditional security email gateways.
February 23, 2023

In our first article for this series, we introduced how secure email gateways (SEGs) do a decent job protecting organizations from known threats but have become ineffective against modern attack techniques like multi-step phishing.

In this post, we look at another frequently-seen modern phishing attack: the OAuth Phishing Attack. An OAuth application uses an open-standard authorization protocol that allows you to grant access to protected resources in one application to other applications through a token, instead of using your login credentials. In this attack, the threat actors attempt to install third-party OAuth applications into target accounts so they can gain access to sensitive data and control the company’s email infrastructure.

How OAuth App Phishing Attacks Bypass the SEG

In the OAuth app phishing example below, the attacker follows the normal SEG bypass formula:

  • Compromise a legitimate email account.

  • Abuse the compromised account by sending emails from it.

  • Host the first stage of the payload on an otherwise-legitimate content platform. In this case, they use Canva.

Where this differs from the multi-step phishing example in our last article is that, rather than phishing credentials, the attacker prompts the victim to install an enterprise application. If successful, the proverbial keys to the tenant equip the attacker with API permissions that allow them to carry out nefarious activities.

Oauth QM11

The email bypasses traditional checks by the SEG because it is sent from prod.outlook.com servers and thus passes SPF, DKIM, and DMARC authentication for the sending domain.

Oauth2

When the recipient receives the message from what they presume is a trusted vendor they click on the “View Shared Files” button to view the invoice, which sends them to a real Canva page. Because a link to Canva (a popular free document templatizing app) is not an inherently malicious link, neither the SEG nor a diligent employee is likely to understand that the Canva site is actually hosting a second (malicious) link.

Oauth3
Oauth4

Clicking the “CLICK HERE TO DOWNLOAD/PREVIEW SHARED DOCUMENTS” button will take the victim to another URL, which will automatically redirect twice, then ask them to log into their Microsoft account, and allow an OAuth application to install the app.

First URL:

Oauth5

First Redirect:

Oauth6

Second Redirect and Final Page:

Oauth7
Oauth8

After the user logs into their Microsoft account, they will be asked to grant consent to an enterprise application, which, depending on the application, will have some (if not all) of the following permissions:

Microsoft Graph - Mail.ReadWrite
Microsoft Graph - Mail.Read.Shared
Microsoft Graph - MailboxSettings.ReadWrite
Microsoft Graph - Calendars.ReadWrite
Microsoft Graph - Directory_AccessAsUser.All
Microsoft Graph - EWS.AccessAsUser.All
Microsoft Graph - Profile
Microsoft Graph - Offline_Access
Office 365 Exchange Online - User.Read.All
Office 365 Exchange Online - Mail.ReadWrite
Office 365 Exchange Online - MailboxSettings.ReadWrite
Office 365 Exchange Online - EAS.AccessAsUser.All
Office 365 Exchange Online - Exchange.Manage

These permissions would be restricted to a single user account, unless the victim happens to be an administrator or has excessive permissions. In that case, the application could be granted access to all users in the M365 tenant.

How Abnormal Protects You From OAuth App Phishing Attacks

Abnormal uses advanced behavioral AI to detect threats that bypass traditional SEGs. With our API architecture, Abnormal is uniquely positioned to ingest signals—establishing a known baseline from which to detect anomalies.

In this case, we identified a number of anomalies. A summary of a few of them can be seen below:

Oauth9

Beyond detecting this email-borne threat itself, Abnormal Security has recently introduced enhanced security capabilities, providing visibility and control into your SaaS security posture across tenant configurations; third-party add-ins/plug-ins; and your employee's roles, permissions, and activities.

The Knowledge Bases—TenantBase, AppBase, and PeopleBase—show raw data and the current state of your cloud environment:

Oauth10

The posture features show changes as they happen across your tenant:

Oauth11

Referencing the attack above, if the OAuth application had been available to and installed by the user, Abnormal Security would further combat such a threat by showing the following details:

New Application Installed:

Oauth12

Relevant Application Posture Changes:

Oauth13

In this case, we see a newly-installed enterprise application with numerous permissions—specifically Mail.ReadWrite—in this part of the image.

A Modern Solution for Modern Attacks

OAuth phishing attacks, like the one illustrated above, bypass traditional defenses, including the SEG, by sending emails from a trusted email account and engaging recipients with a link to access content on an otherwise legitimate content platform. From this file-sharing site, recipients are then redirected to grant access to an app with excessive permissions so they can view the content shared.

Traditional defenses often fail to recognize these sophisticated tactics, leaving organizations vulnerable to data breaches and unauthorized access. However, with Abnormal's proactive approach to zero-day attack protection, these threats can be quickly identified and neutralized. By analyzing email behavior patterns and context, Abnormal can detect anomalies indicative of OAuth phishing attacks, even in the absence of known indicators. This proactive stance empowers organizations to thwart such advanced threats, safeguard sensitive data, and preserve operational continuity.

The next real-world attack type in our series will examine threats that seek victim engagement outside of email. We’ll showcase how Abnormal detects and remediates these attacks and why organizations worldwide are seeing 278% ROI with Abnormal.

Interested in learning more about how Abnormal can supplement or replace your SEG to stop OAuth app phishing attacks and other advanced threats?

Schedule a Demo
Bypassing SEGs With an OAuth App Phishing Attack: A Real-World Example

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story Blog 8
A Fortune 500 transportation and logistics leader blocked more than 6,700 attacks missed by Proofpoint and reclaimed 350 SOC hours per month by adding Abnormal to its security stack.
Read More
B Gartner MQ 2024 Announcement Blog
Abnormal Security was named a Leader in the 2024 Gartner Magic Quadrant for Email Security Platforms and positioned furthest for Completeness of Vision.
Read More
B Gift Card Scams Tricker to Spot Blog
Learn why gift card scams are becoming more difficult to identify, how cybercriminals evolve their tactics, and strategies to protect your organization.
Read More
B Offensive AI 12 16 24
Learn how AI is used in cybersecurity, what defensive AI vs. offensive AI means, and how to use defensive AI to combat offensive AI.
Read More
B Proofpoint Customer Story Blog 7
See how Abnormal's AI helped a Fortune 500 insurance provider detect 27,847 threats missed by Proofpoint and save 6,600+ hours in employee productivity.
Read More
B Cyberattack Forecast Emerging Threats Blog
Uncover the latest email threats and strategies to strengthen your cybersecurity and prepare for 2025.
Read More