New Phishing Threat Presents Security Challenge


July 30, 2019

Discover how an increasingly popular authentication process, OAuth, can be exploited by hackers and wreak havoc on applications and access sensitive data.

What Is OAuth?

OAuth is a widely used framework that allows applications to share access to assets. It lets unrelated services and servers allow authentication without sharing the initial single login credential. It’s often referred to as secure third-party user agent delegated authentication.

OAuth lets you access a resource — secure password-protected sections of a website, for example. Once the access is granted it remains in place until revoked, even if passwords or reset or 2-factor authentication changes.

It’s the technology that allows you to log in to a website or an app using Facebook or Google credentials. Instead of creating and using a password for, say,, you can log in using your Facebook account. Facebook, Google, Microsoft, and Amazon are among those that use OAuth to allow access to other platforms as well as their own.

OAuth does not share password data across sites, but it does share the authorization tokens to confirm your identity.

What Is the Oauth Phishing Attack?

The OAuth tactic is unlike those used in traditional phishing attacks. By targeting the authorization tokens, hackers can essentially act as a compromised account holder throughout any platform on which the hacked person uses OAuth.

A hacker can create a simple app that is loaded into an email message. When users click on the phishing email, they can inadvertently allow access via the OAuth protocol.

“These techniques have been observed in sophisticated attacks in the past but are becoming easier to execute and are gaining in popularity,” notes a recent article.

A graphic depicting the "Phishing Cycle" as layers in the oceanWhat Is The Phishing Cycle?

This graphic describes how IT professionals develop phishing campaigns to improve cybersecurity among team members at various organizations.

  1. Monthly Phishing Campaigns are deployed to the client
  2. Employee is trained to click on a button that sends any email that they are concerned about the Cybersecurity
  3. Cybersecurity team reviews both real phishing emails and phishing test emails securely.
  4. Cybersecurity team develops a profile for the client based on real attacks made on the client as well as responses from phishing campaigns.
  5. Cybersecurity team/Services team block live emails within SPAM filter for client.
  6. Cybersecurity team develops next month’s campaign based off of live attacks in order to expose the client to live campaigns in a safe way.
  7. A monthly or quarterly report is delivered to the client on trends, overview, and employees that need follow up.
  8. New Monthly Phishing Campaign is deployed to the client.

What Can Attackers Do if a Phishing Attack Is Successful?

A successful phish attack lets a hacker do any number of things, depending on the resource to which access was granted. For example, if access is granted to your Microsoft Office or Office 365 account, a hacker could:

  • Search your mailboxes
  • Read your email messages
  • Download messages and any attachments
  • Search for keywords in your email and extract that data
  • Send messages on behalf of your account … to anyone
  • Access your contacts
  • Search shared drives like OneDrive and Sharepoint, read documents, and download and extract files
  • Create malicious Outlook rules
  • Inject disruptive macros into stored Word documents
  • Create and install filtering and forwarding rules

Data accessed, reviewed, and stolen can have severe consequences, as could macros and rules that make it difficult or impossible to use these common office productivity apps.

What Can Be Done to Defend Against a Phishing Attack?

More platforms are using OAuth to make it easier for customers or users to access information. That proliferation of uses means more opportunities for hackers. It’s likely that the number of OAuth phishing attacks is likely to grow.

The best defense against OAuth and other phishing attacks is awareness. Employees and other users need to be aware of the risks and potential outcomes of a phishing attack.

That means training and simulations that help users look for telltale signs of a phishing attack, such as poor grammar and spelling and the use of an unusual email address. Explaining how OAuth phishing attacks work also helps to raise awareness and let users take a skeptical approach to provide those credentials if something doesn’t feel right.

Your organization should also make it easier for employees to submit any suspect email messages that they believe are phishing attempts.

Some other recommendations are:

  • Limit the number of third-party apps that can 3rd party apps that your network accepts
  • Disable any third-party apps across the organization that are unnecessary
  • To identify rare or suspicious instances, search for and monitor all consented applications

To reduce the likelihood and impact of an OAuth phishing attack, be sure to work with your managed IT services provider to ensure that training, anti-phishing solutions, and monitoring are in place for your entire network.

We do IT differently.

Find out what sets us apart from all the other IT companies out there.

We're Integris. We're always working to empower people through technology.

Keep reading

Top 5 Tips for Solving the Email Security Problem

Top 5 Tips for Solving the Email Security Problem

Ever review your email in the morning and wonder why there is so much spam coming through? It takes time to differentiate between the emails containing spam, viruses, and malware and the ones that are important. There are many ways to set these apart and help...

Security Patches-No Action Required

Security Patches-No Action Required

During the week starting  October 12th, the IT industry has been scrambling to address or answer questions regarding several patches that address vulnerabilities including CVE-2020-16898. The vulnerability allows a hacker to send communication packets to a remote...