Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Widespread malicious OAuth app prevalence across Microsoft 365 tenants

Target Trend
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

Researchers found malicious OAuth apps were present across a measurable share of Microsoft 365 / Azure tenants, indicating a persistent identity-abuse risk rather than isolated compromise. In a survey of 8,000+ tenants, about 10% had at least one Traitorware app, and follow-on analysis across partner tenants found over 500 Stealthware instances. The pattern shows that rogue app abuse is both common and scalable in cloud identity environments, especially where consent and app registration are hard to review.

Related Happenings

EngageLab SDK intent redirection security flaw

Vulnerability
First: 09.04.2026 20:26 Last: 09.04.2026 20:26 Sources 1

About this happening: A **now-patched intent redirection vulnerability** in the **EngageLab SDK** could let **malicious apps** bypass the **Android security sandbox** and access private data in apps us...

Open Happening

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

EvilTokens phishing-as-a-service operation expands device code phishing and BEC

Threat Actor Meta
First: 01.04.2026 22:42 Last: 01.04.2026 22:42 Sources 1

About this happening: **EvilTokens** has been commercialized on **Telegram** as a continuously developed phishing-as-a-service kit, expanding **device code phishing** and **BEC** capabilities at scale....

Open Happening

Perseus Android malware family actively distributed in the wild

Malware Activity
First: 19.03.2026 14:43 Last: 19.03.2026 14:43 Sources 1

About this happening: The **Perseus** **Android malware** family is being actively distributed in the wild, putting infected devices at risk of **device takeover** and **financial fraud**. It spreads t...

Open Happening

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Open Happening

Timeline

  1. 20.10.2025 17:00 2 articles · 7mo ago

    Malicious OAuth apps found across Microsoft 365 tenants

    Campaign Scope Update

    Huntress research on Azure/Entra ID application abuse says administrators of Microsoft 365 tenants should audit OAuth apps after analysis across over 8,000 tenants found both legitimate-but-abused Traitorware and custom malicious Stealthware. The findings include more than 500 Stealthware instances across partner tenants, plus suspicious patterns such as apps named after user accounts, test-like names, tenant-domain names, arbitrary strings, and anomalous reply URLs like http://localhost:7823/access/.

    Show sources
    Open in new tab