Cyberattacks no longer rely solely on weak passwords or untrained users. Today’s attackers are leveraging the very technologies we’ve come to trust – such as Google and Microsoft login services – to launch highly convincing and effective attacks.
Add artificial intelligence into the mix, and the result is sophisticated scams that can easily deceive even tech-savvy users.
In this article, we’ll explore how attackers are misusing trusted technologies – like OAuth and DKIM (more on these in a moment) – and why everyone should be cautious when a message or application requests access to user accounts.
Technologies being abused
- Artificial Intelligence (AI):
Cybercriminals are increasingly using AI to craft grammatically correct, visually credible emails, messages, and documents that can bypass traditional detection and fool recipients.
- OAuth (Open Authorization):
A standard protocol that allows users to authorize applications to access their data without sharing passwords. It’s what enables login via your Google or Microsoft account across various third-party services.
- DKIM (DomainKeys Identified Mail):
An email authentication mechanism that uses a digital signature in the email header to verify the sender and ensure the message hasn’t been altered in transit. However, attackers can exploit this via DKIM replay attacks, resending previously signed and legitimate emails (e.g., newsletters or notifications) to trick recipients, all while the DKIM signature remains valid.
Real-world exploits
- Google OAuth and DKIM replay attack
Attackers exploited a combination of DKIM and Google OAuth to launch convincing phishing campaigns. They reused (replayed) previously signed Google-branded emails - often using sender addresses like no-reply@google.com, while the actual sender was different.
Because the DKIM signature remained valid, the messages passed authentication checks, giving the false impression they came directly from Google. However, the email body had been altered to include malicious links that redirected users to phishing sites designed to steal Google account credentials (BleepingComputer – DKIM Replay & OAuth spoofing).
- Microsoft 365 OAuth attack
This attack exploited Microsoft’s OAuth 2.0 flow to hijack user accounts. It started with a message delivered via WhatsApp or Signal, often impersonating a Ukrainian government official or European diplomat. The victim was invited to participate in a confidential video meeting on the Ukraine conflict (BleepingComputer – Hackers abuse OAuth 2.0 workflows to hijack Microsoft 365 accounts).
A link redirected the user to an OAuth authorization page, asking them to grant access to what appeared to be a legitimate app required for the meeting. If access was granted, users were redirected to a lookalike of login.microsoftonline.com, which silently passed authorization codes to the attackers.
These codes granted access to the victim’s Microsoft 365 account – emails, calendar, files – without needing a password (Volexity – Phishing for codes: Russian threat actors target Microsoft 365 OAuth workflows).
How to protect your organization?
OAuth and DKIM abuses highlight a dangerous shift: attackers no longer need to steal passwords – they just need users to unknowingly authorize malicious apps or trust seemingly legitimate but altered emails.
- Raise awareness among employees and leadership:
Security isn’t only a technical issue – it’s a human one. Ensure your organization’s leaders and employees are trained to recognize phishing and social engineering attacks.
- Teach staff to spot suspicious messages – especially those requesting login or account access.
- Always review what permissions an app is requesting. Red flags include access to email, contacts, or files when such access seems unnecessary.
- Never click "Accept" without reading and understanding what access is needed, is it needed?
- Use simulated phishing campaigns to regularly test employee vigilance.
- Implement technical measures:
Depending on your infrastructure and risk profile, consider these measures:
- Strengthen email authentication with a strict DMARC policy (e.g., p=quarantine or p=reject), and ensure proper SPF and DKIM alignment.
- Audit third-party app access regularly in your admin consoles (e.g., Google Workspace Admin, Microsoft Azure/Entra).
- Disable automatic OAuth app approvals for new applications unless audited.
- Deploy Secure email and OAuth gateway solutions that detect unusual behaviors.
- Use Conditional Access policies to limit access based on IP, device posture, and geolocation.
- Enforce access only from managed devices (using tools like Microsoft Intune, Google Endpoint Management).
- Set short token lifespans and use refresh token rotation to minimize token abuse risk.
- Enable anomaly detection to monitor unusual behavior even after access is granted (e.g., Microsoft Defender for Cloud Apps, Google Security Center).
What every user should do?
Security starts with individual actions. Every employee, executive, and partner play a role in preventing unauthorized access.
- Use strong, unique passwords
- Avoid reusing credentials across services.
- Use a password manager to create and store secure passwords.
- Don’t base passwords on personal or company-related information.
- Enable Multi-Factor Authentication (MFA)
- Even if a password is compromised, MFA drastically reduces the likelihood of account takeover.
- Regularly review your account’s connected devices and apps
- Be cautious with email – even from trusted senders
- Verify the context: is the request unexpected or overly urgent?
- Don’t click links unless you're sure of the source.
- When in doubt, access services directly through a browser – not via links in emails.
- Look for inconsistencies in language, grammar, or formatting.
- Keep your software and devices updated
- Install security updates as soon as they are available. Many attacks exploit known vulnerabilities.
- Read authorization prompts carefully
- If an app asks for access to sensitive resources (email, calendar, contacts) without clear justification – deny it.
Cyber threats are constantly evolving, and attackers are now weaponizing the very technologies we trust the most. OAuth and DKIM, while essential to secure digital ecosystems, are not foolproof when users are tricked into granting access.
Staying ahead means combining technology, process, and awareness. Invest in technical defenses, but also in people – your greatest defense against deception.
If you’d like support assessing your current security posture or implementing these protections, our team is ready to help.
