OAuth

Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker requests the Device Registration Service from a suspicious ASN, indicating potential OAuth phishing or adversary-in-the-middle device registration.

The Red Canary Intelligence Insights report for May 2026 highlights the rise of ClearFake, ACR Stealer, and GraphRunner, with ClearFake using JavaScript injection to deliver malware like ACR Stealer, and GraphRunner being abused for reconnaissance and data exfiltration via the Microsoft Graph API.

This rule detects potential session hijacking or token replay in Microsoft Entra ID, identifying cases where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID, which may indicate a successful OAuth phishing attack, session hijacking, or token replay attack.

The mcp-security framework fails to implement SSRF mitigations outlined in the Model Context Protocol, processing untrusted URLs for OAuth-related discovery and metadata without verification, affecting installations with Dynamic Client Registration (DCR) enabled and exposing them to potential Server-Side Request Forgery (SSRF) attacks, tracked as CVE-2026-45609.

The Tycoon2FA phishing kit now supports device-code phishing attacks targeting Microsoft 365 accounts, abusing Trustifi click-tracking URLs, redirecting victims through Cloudflare Workers to a fake Microsoft CAPTCHA page, tricking them into entering a device code, and granting attackers OAuth tokens and access to their Microsoft 365 accounts.

Open WebUI is vulnerable to stored cross-site scripting (XSS) via OAuth profile picture handling, allowing an attacker to inject malicious SVG code and potentially takeover user accounts by exfiltrating JWT tokens.

CVE-2026-45732 describes a high-severity authorization bypass vulnerability in n8n's OAuth1 and OAuth2 credential reconnect endpoints, where insufficient permission checks allow a user with read-only access to overwrite OAuth tokens, potentially leading to data exfiltration and persistent takeover of shared integrations.

Threat actors are increasingly using device code phishing, often via Phishing-as-a-Service platforms, to compromise user accounts by abusing the OAuth 2.0 device authorization grant flow and capturing authentication tokens, enabling account takeover, data theft, and business email compromise.

The MonsterInsights WordPress plugin through 10.1.2 is vulnerable to unauthorized access and data modification, allowing authenticated attackers with subscriber-level access to retrieve Google OAuth tokens and reset Google Ads integration due to missing capability checks on `get_ads_access_token()` and `reset_experience()` functions.

Attackers can silently redirect Claude Code MCP traffic to intercept OAuth tokens, enabling persistent access to connected SaaS platforms by modifying the ~/.claude.json file in a man-in-the-middle attack.

phpMyFAQ is vulnerable to SQL injection due to the `setTokenData` function failing to sanitize OAuth token fields from Azure AD JWT claims, potentially allowing attackers to execute arbitrary SQL commands via crafted Azure AD display names or custom claims.

n8n is vulnerable to cross-site scripting (XSS) via a malicious MCP OAuth client, allowing an unauthenticated attacker to inject arbitrary JavaScript into an authenticated user's session.

In early April 2026, Arctic Wolf tracked a large-scale device code phishing campaign across multiple regions and sectors where threat actors abused OAuth device code flow to trick victims into providing authentication codes.

An authorization bypass vulnerability exists in Better Auth's OAuth provider, allowing low-privilege users to create OAuth clients despite configured clientPrivileges, potentially leading to unauthorized client registration and increased phishing risks.

Detects suspicious OAuth 2.0 token requests where the Microsoft Authentication Broker requests access to the Device Registration Service on behalf of a user principal, potentially indicating an attempt to abuse device registration for unauthorized persistence.

A phishing campaign abuses Microsoft's Device Code OAuth flow to gain access to cloud-based file storage and document workflow platforms, bypassing traditional credential harvesting.

Ech0's OAuth redirect URI validation ignores the path component, allowing attackers to craft malicious redirect URIs for exchange-code theft and potential account takeover.

The Patreon OAuth provider in go-pkgz/auth and go-pkgz/auth/v2 maps every authenticated Patreon account to the same local user ID, leading to cross-account access, privilege confusion, and subscription-state leakage.

The Microsoft 365 'risk-based step-up consent' security setting is disabled by an adversary to allow users to grant consent to malicious applications, potentially leading to unauthorized access and data breaches.

The analytic detects when the risk-based step-up consent security setting in Azure AD is disabled by monitoring Azure Active Directory logs for the 'Update authorization policy' operation and changes to the 'AllowUserConsentForRiskyApps' setting, potentially exposing organizations to OAuth phishing attacks.