Cybercriminals are putting a clever spin on an old trick—this time using OAuth, the tool that lets you connect apps to your account without sharing your password.
What’s new? Instead of stealing data right away, attackers are using fake OAuth apps to lead you to phishing sites. These scams are tricky because they look incredibly legitimate. The attackers design OAuth apps that mimic well-known tools like Adobe Acrobat or DocuSign, complete with professional-looking logos and familiar branding. These apps only request basic permissions—such as access to your profile or email—which makes them seem harmless. But once you click “Allow,” the app redirects you to a fake Microsoft login page that’s built to steal your credentials. What makes this tactic especially effective is that it leverages Microsoft’s actual infrastructure to deliver the permission request, which helps it bypass suspicion and makes the scam feel more trustworthy.
Stay Safe with These Tips
- Pause Before Approving: Don’t grant access without checking what the app is and why it needs it.
- Double-Check the Source: Unexpected app requests? Confirm with IT or the official website first.
- Use MFA: Multi-Factor Authentication adds another layer of security, even if your password is compromised.
- Clean Up Access: Regularly review which apps have access to your accounts—and remove anything you don’t use.
OAuth makes logging in easier—but it’s being misused in smarter ways. Stay alert, and think twice before clicking “Allow.”
