市值: $2.1729T 0.29%
成交额(24h): $52.3093B -15.20%
  • 市值: $2.1729T 0.29%
  • 成交额(24h): $52.3093B -15.20%
  • 恐惧与贪婪指数:
  • 市值: $2.1729T 0.29%
加密货币
话题
百科
资讯
加密话题
视频
热门新闻
加密货币
话题
百科
资讯
加密话题
视频
bitcoin
bitcoin

$87959.907984 USD

1.34%

ethereum
ethereum

$2920.497338 USD

3.04%

tether
tether

$0.999775 USD

0.00%

xrp
xrp

$2.237324 USD

8.12%

bnb
bnb

$860.243768 USD

0.90%

solana
solana

$138.089498 USD

5.43%

usd-coin
usd-coin

$0.999807 USD

0.01%

tron
tron

$0.272801 USD

-1.53%

dogecoin
dogecoin

$0.150904 USD

2.96%

cardano
cardano

$0.421635 USD

1.97%

hyperliquid
hyperliquid

$32.152445 USD

2.23%

bitcoin-cash
bitcoin-cash

$533.301069 USD

-1.94%

chainlink
chainlink

$12.953417 USD

2.68%

unus-sed-leo
unus-sed-leo

$9.535951 USD

0.73%

zcash
zcash

$521.483386 USD

-2.87%

加密货币新闻

专家警告称,新的网络钓鱼和 OAuth 漏洞威胁 Microsoft 365 安全

2026/02/08 13:34

网络钓鱼攻击正在不断发展,利用 OAuth 缺陷绕过 Microsoft 365 防御并获得持久的帐户访问权限。了解最新的威胁以及如何保护自己。

专家警告称,新的网络钓鱼和 OAuth 漏洞威胁 Microsoft 365 安全

New Phishing and OAuth Exploits Threaten Microsoft 365 Security, Experts Warn

专家警告称,新的网络钓鱼和 OAuth 漏洞威胁 Microsoft 365 安全

In a concerning development for digital security, a new wave of sophisticated attacks is targeting Microsoft 365 accounts by cleverly combining phishing tactics with vulnerabilities in OAuth authentication tokens. Cybersecurity researchers are sounding the alarm, highlighting how attackers are chaining seemingly minor web flaws with advanced social engineering to bypass traditional security measures and gain persistent access to sensitive cloud services.

在令人担忧的数字安全发展中,新一波复杂的攻击通过巧妙地将网络钓鱼策略与 OAuth 身份验证令牌中的漏洞结合起来,针对 Microsoft 365 帐户。网络安全研究人员拉响了警报,强调攻击者如何将看似微小的网络缺陷与先进的社会工程联系起来,以绕过传统的安全措施并获得对敏感云服务的持续访问。

The Evolving Phishing Landscape

不断变化的网络钓鱼格局

Email continues to be a primary vector for cyberattacks, but with enhanced filters and authentication protocols like SPF and DMARC, traditional phishing methods are becoming less effective. Attackers have adapted by exploiting legitimate business logic and web application features. Researchers have identified methods where attackers manipulate input fields in public-facing API endpoints. This allows them to trick an organization's own infrastructure into sending malicious emails that, because they originate from authorized servers, bypass security checks and land directly in the victim's inbox. This technique cleverly leverages the inherent trust in an organization's domain.

电子邮件仍然是网络攻击的主要媒介,但随着过滤器和身份验证协议(如 SPF 和 DMARC)的增强,传统的网络钓鱼方法变得越来越无效。攻击者通过利用合法的业务逻辑和 Web 应用程序功能进行了调整。研究人员已经确定了攻击者操纵面向公众的 API 端点中的输入字段的方法。这使得他们能够欺骗组织自己的基础设施发送恶意电子邮件,因为这些电子邮件来自授权服务器,因此绕过安全检查并直接进入受害者的收件箱。这种技术巧妙地利用了组织领域中固有的信任。

OAuth Token Abuse: A New Frontier

OAuth 令牌滥用:新领域

A significant part of this new threat lies in the abuse of OAuth 2.0 tokens. These tokens function as trusted credentials, allowing services to access user accounts without requiring passwords, often seen in features like "Continue with Microsoft." However, attackers are tricking users into granting these access tokens to attacker-controlled applications through malicious phishing emails. Once an attacker possesses a valid OAuth token, they can access sensitive data such as emails, files, and calendars. Crucially, traditional security measures like changing passwords or enabling multi-factor authentication (MFA) do not automatically revoke these tokens, allowing attackers to maintain access until the token is manually revoked or expires. This can lead to full account takeovers and lateral movement within corporate networks.

这种新威胁的一个重要部分在于 OAuth 2.0 令牌的滥用。这些令牌充当可信凭据,允许服务无需密码即可访问用户帐户,这通常出现在“继续使用 Microsoft”等功能中。然而,攻击者通过恶意网络钓鱼电子邮件欺骗用户将这些访问令牌授予攻击者控制的应用程序。一旦攻击者拥有有效的 OAuth 令牌,他们就可以访问敏感数据,例如电子邮件、文件和日历。至关重要的是,更改密码或启用多重身份验证 (MFA) 等传统安全措施不会自动撤销这些令牌,从而允许攻击者保持访问权限,直到令牌被手动撤销或过期。这可能会导致公司网络内的全面帐户接管和横向移动。

Weaponizing Device Codes and API Flaws

武器化设备代码和 API 缺陷

Recent campaigns have specifically highlighted the weaponization of OAuth device code flows, a feature designed for devices with limited input capabilities. Attackers send phishing messages with URLs or QR codes that initiate an OAuth grant on a legitimate login page. When victims enter the displayed code, believing it to be safe, attackers receive the OAuth access token tied to their account. Furthermore, a specific attack chain involves pairing this email flaw with improper error handling in cloud environments. When applications display verbose errors for debugging, malformed requests can inadvertently leak sensitive authentication tokens, like JSON Web Tokens (JWTs) used for Microsoft Graph API communication, alongside stack traces. These tokens grant immediate, authenticated access without triggering login alerts.

最近的活动特别强调了 OAuth 设备代码流的武器化,这是一项专为输入功能有限的设备设计的功能。攻击者发送带有 URL 或 QR 代码的网络钓鱼消息,在合法登录页面上启动 OAuth 授权。当受害者输入显示的代码并相信它是安全的时,攻击者就会收到与其帐户绑定的 OAuth 访问令牌。此外,特定的攻击链涉及将此电子邮件缺陷与云环境中的不当错误处理配对。当应用程序显示详细的调试错误时,格式错误的请求可能会无意中泄漏敏感的身份验证令牌,例如用于 Microsoft Graph API 通信的 JSON Web 令牌 (JWT) 以及堆栈跟踪。这些令牌可立即授予经过身份验证的访问权限,而不会触发登录警报。

Defending Against the Threat

防御威胁

To combat these evolving threats, cybersecurity experts recommend several key strategies. Organizations must enforce strict input validation on all public APIs to ensure they only accept the minimum necessary parameters. Production environments should be configured to return generic error messages, suppressing detailed debug information that could leak credentials. While standard OAuth 2.0 is a backbone for API security, its limitations in scenarios requiring person-to-person delegation are becoming apparent. Solutions like User-Managed Access (UMA) 2.0, which adds a centralized policy layer to OAuth, are gaining traction for enabling more granular and secure sharing. Ultimately, staying vigilant, educating users about phishing risks, and implementing robust API security and error handling practices are paramount in safeguarding Microsoft 365 accounts and other cloud services.

为了应对这些不断变化的威胁,网络安全专家推荐了几种关键策略。组织必须对所有公共 API 执行严格的输入验证,以确保它们只接受最少的必要参数。生产环境应配置为返回一般错误消息,从而抑制可能泄露凭据的详细调试信息。虽然标准 OAuth 2.0 是 API 安全性的支柱,但它在需要人对人委托的场景中的局限性正变得越来越明显。用户管理访问 (UMA) 2.0 等解决方案为 OAuth 添加了集中式策略层,在实现更精细、更安全的共享方面获得了广泛关注。最终,保持警惕、教育用户有关网络钓鱼风险以及实施强大的 API 安全和错误处理实践对于保护 Microsoft 365 帐户和其他云服务至关重要。

So, while the digital world keeps throwing new curveballs, a little awareness and some solid security hygiene can go a long way. Stay safe out there, and maybe think twice before clicking that link!

因此,尽管数字世界不断抛出新的曲线球,但一点意识和一些可靠的安全卫生措施可以大有帮助。保持安全,在点击该链接之前请三思!

原文来源:the420

免责声明:info@kdj.com

所提供的信息并非交易建议。根据本文提供的信息进行的任何投资,kdj.com不承担任何责任。加密货币具有高波动性,强烈建议您深入研究后,谨慎投资!

如您认为本网站上使用的内容侵犯了您的版权,请立即联系我们(info@kdj.com),我们将及时删除。

2026年07月05日 发表的其他文章