Barracuda reports new phishing campaigns that abuse Microsoft OAuth and Google apps to bypass security controls.
Security researchers from Barracuda have mapped out a series of phishing attacks that abuse Microsoft OAuth. This technology allows users to log into applications like Microsoft 365 without sharing their password. Criminals abuse this access layer to steal OAuth tokens, impersonate users, or gain access to sensitive data with fake apps.
read also
Barracuda Reveals New Techniques to Hide Phishing Links in Emails
Users are first redirected to fake login pages. Once they grant permission to a malicious app, an attacker gains access to their email, files, calendars, or Teams chats. In some cases, even multi-factor authentication is bypassed via a custom OAuth link. This allows access to a logged-in session without further interaction.
Attackers register their own applications within an Entra ID tenant, disguise them as legitimate apps, and immediately request broad permissions. Once a user grants permission, no passwords are needed anymore. The attacks are automated, targeted, and difficult to detect.
Google as Legitimate Springboard
Besides OAuth attacks, researchers also see increasing abuse of serverless platforms and productivity tools. The code is executed directly on a publicly accessible URL, without complex setup. The emails refer to fake web pages, supposedly asking users to maintain their password.
Services like Google Translate and Google Meet are also being exploited. By encoding URLs as subdomains of ‘translate.goog’, attackers succeed in misleading users. Via Google Meet, spam invitations are sent en masse with fake offers, luring the victim to make contact via WhatsApp.
read also
The Era of ‘Pathetic Phishing Attacks’ is Over
Barracuda advises organizations to restrict OAuth requests to trusted redirect links, avoid broad permissions, make tokens expire quickly, and actively log suspicious applications. Making users aware of the risks of OAuth implementations is equally essential.
The rise of automated phishing kits and the abuse of legitimate cloud services demonstrate how flexible and adaptable phishing attacks have become. Organizations must continue to adapt their security strategies to defend against these increasingly sophisticated attacks, Barracuda concludes.