OAuth/OIDC consent & token abuse + QR-code AiTM (Railway PaaS + device code escalation)
Key Questions
What is the Railway PaaS attack involving OAuth abuse?
Railway PaaS uses AI QR codes and email lures for token theft, bypassing MFA for 90 days and targeting finance and insurance organizations. Huntress has blocked these attacks.
How does VENOM PhaaS exploit QR codes and AiTM?
VENOM PhaaS employs QR HTML with anti-bot features and AiTM techniques, including sandbox and M365 device code bypasses. This enables highly evasive spear-phishing.
What is the Microsoft Bookings DMARC/ARC bypass?
Attackers use Microsoft Bookings to bypass DMARC and ARC authentication, facilitating phishing into M365 environments. This exploits trust mechanisms in email headers.
How does Bubble.io factor into M365 phishing?
Bubble.io leverages AI Shadow DOM for M365 phishing pages, enhancing evasion. Evilginx3 is also used for O365 AiTM attacks.
Why is there a shift to credentials and passkeys in identity attacks?
Identity attacks are shifting to creds and passkeys, reinforcing high-risk finance delegation. Attackers now 'log in' rather than break in, as per security analyses.
Railway PaaS AI QR/email lures/token theft (90d MFA bypass) hits finance/ins orgs; VENOM PhaaS QR HTML anti-bot/AiTM #SandBox/M365 device code bypass; new dynamic device code phishing evades limits via serverless (Vercel/Cloudflare/AWS), BITB, X-Antibot-Token; MS Bookings DMARC/ARC bypass; Bubble.io AI Shadow DOM M365 phish; Evilginx3 O365 AiTM; identity shift to creds/passkeys reinforces high-risk finance delegation.