Phishing Attacks Target OAuth Credentials to Gain System Access
Discover how an increasingly popular authentication process, OAuth, can be exploited by hackers and wreak havoc on applications and access sensitive data.

What Is OAuth?
OAuth is a widely used framework that allows applications to share access to assets. It lets unrelated services and servers to allow authentication without sharing the initial single login credential. It’s often referred to as secure third-party user agent delegated authentication.
OAuth lets you access a resource — secure password-protected sections of a website, for example. Once the access is granted it remains in place until revoked, even if passwords or reset or 2-factor authentication changes.
It’s the technology that allows you to log in to a website or an app using Facebook or Google credentials. Instead of creating and using a password for, say, ESPN.com, you can log in using your Facebook account. Facebook, Google, Microsoft and Amazon are among those that use OAuth to allow access to other platforms as well as their own.
OAuth does not share password data across sites, but it does share the authorization tokens to confirm your identity.
What Is the Oauth Phishing Attack?
The OAuth tactic is unlike those used in traditional phishing attacks. By targeting the authorization tokens, hackers can essentially act as a compromised account holder throughout any platform on which the hacked person uses OAuth.
A hacker can create a simple app that is loaded into an email message. When users click on the phishing email, they can inadvertently allow access via the OAuth protocol.
“These techniques have been observed in sophisticated attacks in the past1 but are becoming easier to execute and are gaining in popularity,” notes a recent article.
What Can Attackers Do if a Phishing Attack Is Successful?
A successful phish attack lets a hacker do any number of things, depending on the resource to which access was granted. For example, if access is granted to your Microsoft Office or Office 365 account, a hacker could:

Search your mailboxes
Read your email messages
Download messages and any attachments
Search for keywords in your email and extract that data
Send messages on behalf of your account … to anyone
Access your contacts
Search shared drives like OneDrive and Sharepoint, read documents and download and extract files
Create malicious Outlook rules
Inject disruptive macros into stored Word documents
Create and install filtering and forwarding rules

Data accessed, reviewed and stolen can have severe consequences, as could macros and rules that make it difficult or impossible to use these common office productivity apps.
What Can Be Done to Defend Against a Phishing Attack?
More platforms are using OAuth to make it easier for customers or users to access information. That proliferation of uses means more opportunities for hackers. It’s likely that the number of OAuth phishing attacks is likely to grow.
The best defense against OAuth and other phishing attacks is awareness. Employees and other users need to be aware of the risks and potential outcomes of a phishing attack.
That means training and simulations that help users look for telltale signs of a phishing attack, such as poor grammar and spelling and the use of an unusual email address. Explaining how OAuth phishing attacks work also helps to raise awareness and let users take a skeptical approach to providing those credentials if something doesn’t feel right.
Your organization should also make it easier for employees to submit any suspect email messages that they believe are a phishing attempt.
Some other recommendations are:

Limit the number of third-party apps that can 3rd party apps that your network accepts
Disable any third-party apps across the organization that are unnecessary
To identify rare or suspicious instances, search for and monitor all consented applications

To reduce the likelihood and impact of an OAuth phishing attack, be sure to work with your managed IT services provider to ensure that training, anti-phishing solutions and monitoring are in place for your entire network.