Barracuda threat analysts have raised concerns over a new wave of email-based threats targeting organisations worldwide, with phishing gangs increasingly abusing Microsoft OAuth and a variety of online platforms to launch attacks.
OAuth, a standard that allows users to log into third-party applications such as Microsoft 365 without sharing passwords, has become a major focus for attackers. According to Barracuda, “advanced phishing-as-a-service (PhaaS) kits” are exploiting weaknesses in OAuth implementations to gain unauthorised and persistent access to accounts and sensitive data.
The company’s researchers explained that the abuse of OAuth enables attackers to “steal access tokens, impersonate users, use stolen or hijacked client credentials to silently access accounts and personal data, register malicious applications so they appear trustworthy, and take advantage of weak checks for the website addresses used during login or redirection.” Attackers may also exploit auto-login features to capture authorisation codes without the user’s knowledge.
Barracuda highlighted large-scale, automated, and streamlined attacks involving phishing kits such as Tycoon and EvilProxy. In one example, a Tycoon 2FA attack redirected users to a phishing site impersonating Microsoft to steal login credentials. Another attack involved EvilProxy, designed to bypass multifactor authentication and hijack sessions, using the ‘prompt=none’ command to suppress login prompts and silently redirect signed-in users.
“These malicious apps are carefully designed to mimic legitimate apps or services,” the analysts noted. Once consent is granted by an unsuspecting user, attackers can gain access without needing a password or multifactor authentication, relying instead on OAuth tokens.
To mitigate risks, Barracuda advised organisations to “only allow trusted redirect links, consider adding a secret code to each login request, avoid automatic account selection, check that login tokens are authentic and not expired, and keep logs to catch anything unusual.”
Beyond OAuth, Barracuda also reported attackers increasingly abusing serverless computing platforms, website creation services, and productivity tools to host phishing pages. The LogoKit phishing-as-a-service kit was seen exploiting a JavaScript serverless platform, hosting malicious content behind a legitimate domain. “Creating a phishing URL on the abused site is extremely simple,” Barracuda observed, with attackers able to deploy just a few lines of code to generate shareable malicious links.
EvilProxy was also detected using a popular website builder and a visual productivity tool to redirect victims. In one case, attackers embedded a phishing link inside a single image within an email, designed to resemble a document-sharing message.
The analysts additionally identified schemes exploiting trusted Google services. “Attackers are exploiting Google Translate’s URL structure by encoding malicious domains to appear as subdomains of ‘translate.goog’,” Barracuda said, allowing malicious links to bypass filters.
SendGrid customers have also been targeted. A phishing campaign used subject lines such as “API Errors Affecting Email Delivery” to trick developers into clicking malicious links. Compromised SendGrid accounts were then used to send more phishing emails, often bypassing security filters due to valid authentication records.
Meanwhile, Google Classroom and Meet were abused for scam campaigns involving fake reseller or money-making offers. Attackers created bogus classes or mass-invited users to Meet sessions that directed them to WhatsApp numbers, where fraudulent schemes were carried out.
Barracuda stressed that its Email Protection suite is designed to help organisations defend against such attacks. It includes features such as Email Gateway Defence, Impersonation Protection, Incident Response, Domain Fraud Protection, and Cloud-to-Cloud Backup. The company emphasised that its solution “combines artificial intelligence and deep integration with Microsoft 365 to guard against hyper-targeted phishing and impersonation attacks.”
As phishing threats evolve, Barracuda warned that attackers are increasingly sophisticated in exploiting both technical vulnerabilities and the trust users place in legitimate platforms. The company’s guidance is clear: vigilance, technical safeguards, and education remain essential to countering these threats.