Weekly Security Roundup: OAuth abuse, MFA bypass, and supply chain
Security this week covers both new threats and updated controls, with research on attacks using authentication weaknesses, vulnerability management, software supply chain changes, and the dual role of AI in state-of-the-art threats and defense.
Microsoft Account and Authentication Attack Analysis
The latest research details real-world attacks using OAuth application redirection in Entra ID for phishing or malware delivery. Attackers exploit OAuth parameters to redirect users to malicious URLs. Practical steps for defenders include tightening app permissions, monitoring authentication flows, and enforcing stronger access policies. There is also analysis of malware signed with stolen EV certificates, which is then used to install RMM tools as persistent footholds. Recommendations are provided for auditing, whitelisting, deploying AppLocker, and reviewing RMM credentials.
- OAuth Redirection Abuse Tactics: Phishing and Malware Delivery Exposed
- Signed Malware Impersonating Workplace Apps Deploys RMM Backdoors
Global Disruption of Advanced Phishing Kits and MFA Bypass Platforms
A partnership between Microsoft, Europol, and global agencies dismantled the Tycoon 2FA phishing kit infrastructure, which previously enabled large-scale identity impersonation. Tactics included relay, session hijacking, AI-based phishing, and rapid domain switching. The articles offer mitigation steps, including MFA reviews, mailbox rule checks, token revocation, Defender tools, and post-attack clean-up.
- How a Global Coalition Disrupted Tycoon 2FA: A Major Impersonation Platform
- Inside Tycoon2FA: How a Leading AiTM Phishing Kit Operated at Scale
AI-Enabled Security Threats, Detection, and Response
Microsoft Threat Intelligence describes how attackers are adopting AI for scanning vulnerabilities, developing malware, social engineering, and building infrastructure. LLMs are now sometimes used for reconnaissance, with North Korean groups highlighted. Defender recommendations include enabling AI-focused dashboards, prompt filter controls, and Defender Copilot products. The section also warns of AI browser extensions that steal chat data, with guidance on detection, extension auditing, and Defender management.
- AI as Tradecraft: Threat Actors Operationalize AI in Cyberattacks
- Malicious AI Browser Extensions Expose LLM Chat Histories: Microsoft Defender Analysis
Secure Software Supply Chain and User Controls
Dependabot now allows security alert assignment for better accountability. Bulk assignment and additional webhook/API support enable more structured response. Draft advisories can be locked for authorized edit only, improving audit trail and compliance support.
- Dependabot Alert Assignees Now Available for GitHub Advanced Security
- Improved Control Over Draft Repository Security Advisories on GitHub
Automation and AI-Driven Vulnerability Discovery
The GitHub Security Lab Taskflow Agent enables automated vulnerability scanning using YAML-based taskflows and LLMs. Documentation covers review of logic, control, and privilege tasks in your pipeline. User taskflows, integration with Codespaces, and Copilot support help teams act on findings more efficiently.
Secure Binary Signing with Azure Trusted Signing and dotnet sign
Rick Strahl details workflow improvements for code signing using Azure Trusted Signing and dotnet sign. Changes include simpler authentication, faster processes, and support for CI/CD scripts, covering details about configuration, integration, and security best practices. The overview addresses protecting certificates and ensuring responsible automated signoff.
Other Security News
GitHub Octoverse analysis highlights how automation tools like Copilot Autofix and Dependabot speed up vulnerability patching and support a “shift left” approach. Features discussed include merge queues and new access control checks supported by insights, reinforcing the balance between AI-driven automation and human oversight.