OAuth Attacks: How Malicious Apps Are Targeting Microsoft 365 and GitHub

-



Cybercriminals are increasingly exploiting OAuth applications as an attack vector to gain unauthorised access to user accounts, steal data, and spread malware. Recent campaigns have shown a growing sophistication in how attackers abuse OAuth permissions to bypass traditional security measures.

A recent wave of attacks has leveraged fake OAuth applications impersonating Adobe, DocuSign, and GitHub security alerts. These malicious apps trick users into granting permissions that allow attackers to redirect victims to phishing pages, distribute malware, or gain full access to cloud accounts and repositories.

This article breaks down the latest OAuth attack techniques, how they exploit legitimate services, and what organisations can do to mitigate these threats.

How Malicious OAuth Attacks Work

OAuth is a widely used authorisation framework that allows applications to request access to user accounts without requiring passwords. While OAuth enhances security by reducing credential exposure, attackers exploit its trust-based model to manipulate users into approving malicious apps.

Here’s how a typical OAuth attack unfolds:

  1. Attackers create a fake OAuth application that mimics a legitimate service (e.g., Adobe Acrobat, DocuSign, or GitHub Security Alerts).
  2. Users are tricked into granting access, often through phishing emails or fake security notifications.
  3. OAuth permissions allow attackers to bypass traditional login security and gain direct access to the user’s account or data.
  4. Compromised accounts are used for further exploitation, including data theft, lateral movement, or deploying malware.

Unlike traditional credential theft, OAuth attacks do not require password compromise—making them harder to detect and highly effective against multi-factor authentication (MFA).

Recent OAuth Attacks Targeting Microsoft 365 & GitHub

1. Fake Adobe & DocuSign Apps Redirecting Users to Phishing Pages

Researchers recently uncovered malicious OAuth apps impersonating Adobe Acrobat and DocuSign. These fake apps were designed to appear legitimate but, once approved, redirected victims to credential phishing sites or malware distribution pages.

  • Attackers used bogus Adobe and DocuSign logos to make the apps look credible.
  • The apps requested minimal permissions (profile, email, OpenID) to avoid detection.
  • Victims were led to highly convincing phishing pages that harvested Microsoft 365 credentials.

2. GitHub Attack Targeting Developers

Another campaign targeted GitHub developers, where attackers used a fake security alert to trick users into granting OAuth permissions to a malicious app named "GitHub Notification".

  • The app claimed to warn users of unusual login activity from Iceland.
  • Developers who clicked on the alert granted full access to their GitHub repositories.
  • This allowed attackers to steal or modify source code, insert backdoors, or exfiltrate sensitive data.

With over 8,000 GitHub repositories targeted, this attack underscores the high-risk nature of OAuth abuse in developer and enterprise environments.

Why OAuth Attacks Are So Effective

OAuth-based attacks are highly successful because they exploit trusted authentication flows. Unlike phishing campaigns that rely on stealing passwords, OAuth attacks bypass traditional login mechanisms entirely.

Key Reasons Why OAuth Attacks Are Difficult to Detect:

  • No need for password theft – Attackers gain access through OAuth tokens instead of credentials.
  • Legitimate API access – Actions are performed through approved app permissions, making activity look normal.
  • Persistence – OAuth tokens often remain active even if passwords are changed.
  • Low detection rates – Many security tools do not flag OAuth-based threats as malicious.

For enterprises using cloud platforms like Microsoft 365, Google Workspace, and GitHub, OAuth attacks pose a serious security risk—one that requires a proactive defence strategy.

How to Protect Against Malicious OAuth Attacks

1. Restrict OAuth App Permissions

  • Implement strict app permission policies to limit what third-party apps can access.
  • Require admin approval for OAuth apps before they can be used within the organisation.
  • Regularly audit and review OAuth app permissions in Microsoft 365, Google Workspace, and GitHub.

2. Implement Conditional Access & Risk-Based Authentication

  • Use conditional access policies to restrict high-risk OAuth approvals.
  • Monitor for suspicious login patterns, such as new OAuth app approvals from unusual locations.
  • Enable risk-based authentication that flags login attempts tied to malicious OAuth requests.

3. Educate Users on OAuth Security Risks

  • Train employees to identify phishing emails that prompt OAuth app approvals.
  • Encourage developers to verify GitHub OAuth apps before granting permissions.
  • Regularly update security awareness training to include OAuth-specific attack methods.

4. Disable Unused or High-Risk OAuth Apps

  • Revoke access for unused OAuth applications.
  • Monitor app behaviour and remove any that request excessive permissions.
  • Use automated security tools to detect and block high-risk OAuth activity.

Final Thoughts

OAuth attacks are becoming a preferred method for cybercriminals because they bypass traditional security controls and exploit user trust in authentication flows.

The recent Microsoft 365 and GitHub OAuth campaigns show how sophisticated these attacks have become, targeting not just end-users but also developers and enterprise cloud environments.

Organisations must take proactive steps to secure their OAuth ecosystems, from limiting app permissions to educating employees on the risks. The key takeaway? OAuth security should be treated with the same level of priority as password and MFA security.

Cyber threats are evolving—is your organisation keeping up?


Comments

Post a Comment

Most Viewed

Best Practices for Securing Cloud Instances

-
Image
  In today's digital landscape, the use of cloud instances has become ubiquitous. These cloud platforms offer businesses flexibility, scalability, and cost-efficiency. However, they also present significant security challenges. Ensuring the security of your cloud instances is paramount to safeguarding your data and operations. In this article, we will explore the best practices for securing cloud instances to mitigate risks and protect your assets. Table of Contents Introduction Understanding the Importance of Cloud Security Choosing the Right Cloud Service Provider Evaluating Security Features Compliance and Certification Implementing Strong Authentication Multi-Factor Authentication (MFA) Role-Based Access Control (RBAC) Data Encryption Encryption in Transit Encryption at Rest Regularly Update and Patch The Importance of Timely Updates Automating Patch Management Monitoring and Auditing Continuous Monitoring Auditing for Anomalies Network Security Isolating Resources Implementing...
Read more

The Consequences of Neglecting Cloud Instance Security

-
Image
  In today's digital age, businesses and individuals alike are increasingly relying on cloud computing to store and manage their data. Cloud instances offer convenience, scalability, and cost-effectiveness, but they also come with a significant responsibility: security. Failing to secure your cloud instances can have severe consequences that can impact your data, reputation, and bottom line. In this article, we will explore the various repercussions of not adequately safeguarding your cloud resources. Understanding Cloud Instances Before delving into the consequences, let's first define what cloud instances are. Cloud instances, often referred to as virtual machines (VMs), are virtualized computing resources hosted on remote servers. They are a fundamental building block of cloud computing and are used to run applications, store data, and perform various computing tasks. Popular cloud service providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (...
Read more

The Cloud Computing Revolution: Unleashing the Power of the Cloud

-
Image
  The Cloud Computing Revolution: Unleashing the Power of the Cloud Introduction In our fast-paced digital age, cloud computing has emerged as a transformative force, reshaping the way individuals and businesses access and manage their data and applications. But what exactly is cloud computing, and why has it become an indispensable part of the technological landscape? In this comprehensive guide, we will demystify cloud computing, exploring its various facets, benefits, and the profound impact it has on our daily lives. Understanding the Basics Let's begin by unraveling the fundamental concepts of cloud computing: 1. What Is Cloud Computing? Cloud computing refers to the delivery of computing services—including storage, processing, and software—over the internet. Instead of relying on a local server or personal computer, users tap into a network of remote servers hosted in data centers. 2. Key Components Cloud computing comprises three essential service models: Infrastructure as a...
Read more