Security News > 2021 > December > Microsoft, Google OAuth flaws can be abused in phishing attacks
These attacks can lead to the bypassing of phishing detection and email security solutions, and at the same time, gives phishing URLs a false snse of legitimacy to victims.
"The attacks use dozens of distinct Microsoft 365 third-party applications with malicious redirect URLs defined for them," explains Proofpoint's report.
"All the third-party applications were being delivered through a Microsoft URL with a missing response type query parameter, with the intention to redirect unsuspecting users to different phishing URLs.".
"We analyzed Proofpoint data and found large-scale targeted attacks using modi operandi, which we'll discuss in detail later in this blog post. The attacks use dozens of distinct Microsoft 365 third-party applications with malicious redirect URLs defined for them."
GitHub allows anyone to register an OAuth app, including threat actors who create apps whose redirect URLs lead to phishing landing pages.
"By abusing OAuth infrastructure, these attacks deliver malicious emails to their targets undetected. Such attacks on PayPal can lead to theft of financial information such as credit cards. Phishing attacks on Microsoft can lead to fraud, intellectual property theft and more."
News URL
Related news
- Google now blocks spoofed emails for better phishing protection (source)
- Google Chrome Beta Tests New DBSC Protection Against Cookie-Stealing Attacks (source)
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack (source)
- Google Chrome Adds V8 Sandbox - A New Defense Against Browser Attacks (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- TA547 Phishing Attack Hits German Firms with Rhadamanthys Stealer (source)
- FBI warns of massive wave of road toll SMS phishing attacks (source)
- Week in review: Palo Alto Networks firewalls under attack, Microsoft patches two exploited zero-days (source)
- FIN7 targets American automaker’s IT staff in phishing attacks (source)
- AI set to play key role in future phishing attacks (source)