OAuth
Coverage of OAuth in the Nexus archive.
- ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API
ToddyCat, a threat actor, has been linked to Umbrij malware that exploits OAuth to access Gmail via Google API, targeting corporate email compromises. Kaspersky reported that attackers focused on breaching Gmail communications through API access.
- Cloudflare launched self-managed OAuth for all
Cloudflare has launched self-managed OAuth for all users, expanding access to its authentication service. The feature allows developers to manage OAuth workflows independently.
- Klue OAuth breach victim list grows as Icarus hackers claim attack
Market intelligence platform Klue confirmed a security incident where threat actors stole OAuth tokens used to access customers' Salesforce environments. The Icarus extortion group has publicly claimed responsibility for the attack.
- FBI warns of major phishing scam, with hackers ‘hijacking' Microsoft Outlook, 365 users
The FBI warns of a phishing scam targeting Microsoft Outlook and 365 users, using a pre-packaged phishing kit called Kali 365 distributed via Telegram. Hackers exploit OAuth tokens to bypass multi-factor authentication, gaining unauthorized access to accounts and services like Outlook, Teams, and OneDrive.
- FBI warns of Kali365 phishing-as-a-service after April Microsoft 365 attacks
The FBI has issued a warning about Kali365, a phishing-as-a-service platform operating on Telegram that enables cybercriminals to steal OAuth tokens and gain unauthorized access to Microsoft 365 environments. The advisory follows attacks in April targeting Microsoft 365 users. This threat represents a significant security risk for organizations relying on cloud-based Microsoft services.
- The Back Door Attackers Know About — and Most Security Teams Still Haven’t Closed
Attackers can exploit persistent OAuth tokens from AI tools and productivity apps connected to Google or Microsoft, bypassing perimeter controls and MFA. These tokens have no expiration date and are often left unmonitored. This vulnerability poses a significant security risk to organizations.
- Learning from the Vercel breach: Shadow AI & OAuth sprawl
The Vercel breach highlights risks from third-party OAuth integrations, showing how a compromised app can expose customer environments. Push warns that OAuth sprawl and Shadow AI practices amplify security vulnerabilities.
- Vercel Security Incident: Immediate Advisory for Solana DeFi Projects
Vercel reported unauthorized access to internal systems via a compromised third-party AI tool's Google Workspace OAuth app. While services remain operational and no sensitive data was confirmed accessed, Solana DeFi teams are urged to rotate secrets and audit OAuth integrations for security.