Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cazadora open-source tenant OAuth app hunting tool release

Security Tool/Service
First reported
Last updated
Happening score
H score 10
1 unique sources, 1 articles

Summary

Hide ▲

Cazadora now gives Microsoft 365/Azure admins an open source way to enumerate tenant OAuth apps and hunt for suspicious registrations, improving visibility into rogue app abuse. The tool focuses on Enterprise Applications and Application Registrations that may hide malicious consent grants or other suspicious tradecraft. It matters because OAuth app abuse can blend into legitimate cloud authorization paths and evade casual tenant review.

Related Happenings

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

Storm-2561 SEO-poisoning VPN credential-theft campaign

Campaign
First: 13.03.2026 15:38 Last: 13.03.2026 15:38 Sources 1

About this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...

Open Happening

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Open Happening

OAuth URL redirection phishing campaign targeting government and public-sector organizations

Campaign
First: 03.03.2026 11:20 Last: 03.03.2026 11:20 Sources 1

About this happening: The **OAuth URL redirection** phishing campaign is targeting **government and public-sector organizations**, using attacker-controlled redirects to bypass normal **email** and **b...

Open Happening

Timeline

  1. 20.10.2025 17:00 2 articles · 7mo ago

    Cazadora open source OAuth app hunting release

    Initial Disclosure

    Matt Kiely, Principal Security Researcher at Huntress Labs, releases Cazadora, an open source script for Microsoft 365 administrators to audit OAuth apps by inspecting Enterprise Applications and Application Registrations for suspicious names, loopback reply URLs such as http://localhost:7823/access/, and other indicators of rogue consent abuse.

    Show sources
    Open in new tab