|
|
|
|
|
|
by paranoidrobot
2017 days ago
|
|
|
> The attack that was simulated in my case utilized convincing social engineering, spear phishing, domain spoofing, and malicious OAuth apps meant to look like an internal resource/service to gain access to sensitive material. This sounds like a post I saw on Reddit a few days ago. This person's IT organisation had been talking about migrating to Github Enterprise, they got an email saying that it had been rolled out from an internal IT mailbox to an OAuth application that had been pre-approved on their Github Organisation. For that particular scenario - if the org-admins have approved the OAuth application and are able to send mail from within the organisation - then it's probably game over anyway, since to approve the application they probably needed Admin rights anyway. |
|
|
In my case the email came through due to a “bad” DMARC configuration so they were able to spoof our domain from an external server and the OAuth app in question had our company’s name on it.
And on a personal front, I was busy that morning and didn’t pay enough attention to the permissions being requested by the app before I clicked “allow”. So it was a failure of both systems and people controls.
My new rule is that if I get an email asking me to do any sort of action, automated or not, I’m going to sit on it for 1-24 hours before doing anything about it. If it’s actually urgent then someone will get ahold of me through some other method than email.