Context, not the URL, is the new red flag: Sakshi Grover, Senior Research Manager at IDC Asia/Pacific, said the longstanding advice to hover over a link and verify its domain was built for an era of lookalike domains and that it no longer holds in environments where authentication flows routinely pass through trusted identity providers.”Organizations should shift awareness messaging from ‘check the link’ to ‘validate the context,’” she said. “Employees should be trained to question whether an authentication request was expected, whether it aligns with a current business activity, and whether the application is requesting permissions that make sense.”Gogia said enterprises need to go further and change the underlying behavior entirely. “Never initiate authentication journeys from unsolicited inbound links,” he said. “Authentication should begin from controlled starting points, not from email triggers.” He added that reporting unexpected login journeys must be made frictionless, and that speed of reporting is more valuable than confidence in personal judgment.
The governance gap attackers exploit: Both analysts pointed to OAuth application governance as the deeper structural gap this campaign exploits.Grover of IDC said governance maturity remains uneven across enterprises. “Broad default consent settings and limited monitoring of redirect URIs remain common, particularly in environments where cloud and SaaS adoption have outpaced identity governance controls,” she said.The scale of the problem is easy to underestimate, according to Gogia of Greyhound Research. “Every SaaS integration, automation workflow, and collaboration tool may require an application registration. Over time, tenants accumulate hundreds or thousands of registered apps. Redirect URIs are configured during setup and rarely revisited,” he said. “Telemetry exists. Interpretation does not.”Microsoft said in the blog post that organizations should restrict user consent to third-party OAuth applications, audit app permissions regularly, and remove applications that are unused or over-privileged. The post also published 16 client IDs linked to the threat actors’ malicious applications and a list of initial redirection URLs as indicators of compromise. KQL hunting queries for Microsoft Defender XDR customers are included in the post to help identify related activity across email, identity, and endpoint signals.The technique will remain effective for as long as enterprises leave these gaps unaddressed, Gogia warned. “It does not require breaking encryption,” he said. “It requires exploiting administrative complacency.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4139872/oauth-phishers-make-check-where-the-link-points-advice-ineffective.html
