tldrdailynews.com logo
Tag

Oauth

All articles tagged with #oauth

ConsentFix v3 automates OAuth abuse to hijack Azure accounts
technology24 days ago

ConsentFix v3 automates OAuth abuse to hijack Azure accounts

Security researchers describe ConsentFix v3, an automated phishing workflow that exploits the OAuth2 authorization code flow to steal tokens and hijack Microsoft/Azure accounts. The campaign uses Pipedream as the automation engine, hosts a spoofed Microsoft login on Cloudflare Pages, and exfiltrates the OAuth code to immediately exchange it for tokens, enabling access to emails and files even with MFA. Mitigations include token binding, behavioral detection rules, and app authentication restrictions; it remains unclear how widely this variant is being adopted.

via BleepingComputer|
#automation#azure#consentfix
OAuth Redirect Attacks Deliver Malware and Bypass MFA
security2 months ago

OAuth Redirect Attacks Deliver Malware and Bypass MFA

Microsoft Defender researchers warn attackers abuse OAuth 2.0 redirect flows to bypass phishing protections by registering malicious OAuth apps and directing users to attacker-controlled redirect URIs, sometimes via PDFs; victims are taken to phishing pages or intermediaries like EvilProxy that can intercept session cookies to bypass MFA. Other campaigns deliver ZIPs with LNK files that launch PowerShell and DLL side-loading to drop payloads. These are identity-based threats exploiting standard OAuth error handling; Microsoft advises tighter OAuth permissions, stronger identity protections, Conditional Access, and cross-domain detection across email, identity, and endpoints.

via BleepingComputer|
#malware#mfa#oauth
OAuth Redirect Abuse Targets Government Agencies With Malware Delivery
security2 months ago

OAuth Redirect Abuse Targets Government Agencies With Malware Delivery

Microsoft warns of phishing campaigns that exploit OAuth redirect flows to bypass email and browser defenses, steering government and public-sector victims to attacker-controlled landing pages. Attackers use a malicious OAuth app with a redirect URL to rogue domains; victims authenticate, triggering ZIP-delivered payloads that execute PowerShell, DLL sideloading, and in-memory malware to reach a remote C2 server. Some campaigns also employ EvilProxy for credential interception. Defenders are advised to limit user consent, review app permissions, and remove unused or overprivileged apps.

via The Hacker News|
#c2#government-targeted#malware
Device-code phishing with vishing redefines MFA in Microsoft Entra
security3 months ago

Device-code phishing with vishing redefines MFA in Microsoft Entra

Threat actors are abusing the OAuth 2.0 device authorization flow combined with voice phishing to hijack Microsoft Entra accounts. By using legitimate Microsoft OAuth client IDs, they trick victims into authenticating on microsoft.com/devicelogin, after which they can grab refresh tokens and issue access tokens, effectively bypassing MFA and accessing the victim's SaaS apps and data. Campaigns have targeted technology, manufacturing, and financial firms and may involve the ShinyHunters group. Security responses include revoking suspicious OAuth consents, auditing device-code sign-in events, disabling device-code flow when not needed, and enforcing conditional access policies to limit exposure.

via BleepingComputer|
#devicecodephishing#mfabypass#microsoftentra