OAuth Consent Abuse Campaign Targets Multiple Organizations

First reported

12.03.2026 15:14

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A large-scale OAuth consent abuse campaign, active in early 2025, involved 19 malicious applications impersonating well-known brands like Adobe, DocuSign, and OneDrive. The campaign targeted multiple organizations, exploiting 'consent fatigue' to gain access to users' sensitive data without needing their passwords. The access token obtained through this method was sent to the attacker's redirect URL, granting them unauthorized access to files or emails. The campaign was documented by Proofpoint in August 2025, highlighting the ongoing threat posed by malicious OAuth applications.

Timeline

12.03.2026 15:14 1 articles · 7h ago

OAuth Consent Abuse Campaign Targets Multiple Organizations
A large-scale OAuth consent abuse campaign, active in early 2025, involved 19 malicious applications impersonating well-known brands like Adobe, DocuSign, and OneDrive. The campaign targeted multiple organizations, exploiting 'consent fatigue' to gain access to users' sensitive data without needing their passwords. The access token obtained through this method was sent to the attacker's redirect URL, granting them unauthorized access to files or emails. The campaign was documented by Proofpoint in August 2025, highlighting the ongoing threat posed by malicious OAuth applications.
Show sources

ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack & More — thehackernews.com — 12.03.2026 15:14
Open in new tab

Information Snippets

Malicious OAuth applications impersonated well-known brands to trick users into granting permissions.
First reported: 12.03.2026 15:14

1 source, 1 article
Show sources
- ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack & More — thehackernews.com — 12.03.2026 15:14
The campaign involved 19 distinct OAuth applications and targeted multiple organizations.
First reported: 12.03.2026 15:14

1 source, 1 article
Show sources
- ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack & More — thehackernews.com — 12.03.2026 15:14
The access token obtained through the malicious OAuth applications was sent to the attacker's redirect URL.
First reported: 12.03.2026 15:14

1 source, 1 article
Show sources
- ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack & More — thehackernews.com — 12.03.2026 15:14
The campaign was documented by Proofpoint in August 2025.
First reported: 12.03.2026 15:14

1 source, 1 article
Show sources
- ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack & More — thehackernews.com — 12.03.2026 15:14