Email Threat Radar – September 2025

Over the last month, Barracuda threat analysts have identified several notable email-based threats targeting organizations around the world. The threats include:

• Tycoon  and EvilProxy phishing kits exploiting Microsoft OAuth for access and to redirect URLs to malicious pages
• Attackers abusing a wider range of online platforms to create and host phishing pages, including cloud-based serverless environments, website creation sites and visual productivity tools
• In brief: The abuse of Google Translate, scammers targeting DirectSend, Google Classroom and Meet

Phishing gangs abuse Microsoft OAuth for stealthy access

Threat summary

OAuth is a widely adopted standard that allows users to log into third-party applications such as Microsoft 365 without sharing their passwords. This easy convenience has opened a new attack surface. Security researchers across the industry, including at Barracuda, are seeing advanced phishing-as-a-service (PhaaS) kits targeting weaknesses in OAuth implementations to gain unauthorized and persistent access to accounts and data.

The abuse of OAuth can allow attackers to:

• Steal access tokens
• Impersonate users
• Use stolen or hijacked client credentials to silently access accounts and personal data
• Register malicious applications so they appear trustworthy to trick users into granting access and control permissions
• Take advantage of weak checks for the website addresses used during login or redirection
• Abuse auto-login features to steal authorization codes without the user’s knowledge
• Request and abuse the .default scope, which grants broad, preconfigured API permissions, allowing attackers who’ve managed to obtain access tokens to escalate their privileges and access sensitive resources

The OAuth attacks seen by Barracuda’s threat analysts are large-scale, automated and streamlined PhaaS attacks based on social engineering.

To implement the attack, the attackers amend the Microsoft OAuth URL.

The original, legitimate Microsoft OAuth URL looks like this:

The various elements can be broken down as follows:

• client_id: This code identifies the application registered on Microsoft.
• response_type: This tells the OAuth server to return an authorization code, which starts the secure authorization code flow that is used to obtain access tokens.
• redirect_uri: This is a trusted redirect URI.
• scope: This means the system is asking for basic information — who you are, your profile info and email address.
• state: This instructs the system to create a special code or token at the start of the request, which it verifies when the request returns so it knows it has come from you and not from an attacker trying to trick the system into changing settings or sending a message in your name without your permission or knowledge.
• prompt: The phrase ‘select_account’ forces the choice of an account before authorizing sign-in to make sure it is really you and not an attacker trying to sneak in.

Malicious OAuth URLs look a little different

The first example below comes from a Tycoon 2FA attack where the user is redirected to a phishing site impersonating Microsoft that is designed to steal login credentials. All the links redirect to attacker-controlled elements.

The second example involves EvilProxy and is designed to allow the attacker to bypass multifactor authentication and hijack sessions.

In the EvilProxy link, the phrase ‘prompt=none’ is used. This supresses the login prompt, which means that if the user is already signed in, they will be redirected silently without any interaction.

If it turns out that the user is not signed in or consent is required, the server returns an error instead of prompting the user. This allows applications — or attackers — to refresh tokens or check session status without interrupting the user.

These attacks typically need attackers to register malicious applications within their Entra ID (Azure AD) tenant. These malicious apps are carefully designed to mimic legitimate apps or services.

They abuse Microsoft’s OAuth flow to request automatic user consent for very broad permissions (or scopes), such as access to emails, files, calendars, Teams chats or management APIs.

Once a user unknowingly grants consent, the attacker can gain access to the user’s account without needing their password or multifactor authentication, as access is granted via OAuth tokens.

In a more severe scenario, the attacker may bypass the OAuth flow entirely and instead redirect the user to a spoofed login page that closely mimics Microsoft’s official sign-in screen. If the user unknowingly enters their credentials, the attacker captures them, potentially gaining full access to the account.

Action to take to keep OAuth environments secure

1. Only allow trusted redirect links to ensure users are sent to safe, known websites after login.
2. Consider adding a secret code to each login request to ensure it has come from a legitimate user.
3. Don’t let the system automatically select an account — ask users to choose their account.
4. Check that login tokens are authentic, not expired and meant for your app — and use tokens that expire quickly so they can’t be reused if stolen.
5. Don’t request access to more data than necessary, such as contacts or files.
6. Teach developers and users how to spot risks and use OAuth correctly.
7. Keep logs to catch anything unusual, like logins from odd places.

Scammers abusing serverless computing platforms, website creation and productivity tools to host phishing

Threat Snapshot

We’ve previously reported on how attackers abuse trusted cloud collaboration, document management and online form platforms, taking advantage of their accessibility and reputations to help phishing campaigns bypass security filters and gain user trust.

We are now also seeing attackers abuse code hosting and serverless computing platforms, website development and online productivity tools to create and distribute phishing sites and malicious content.

The abuse of a JavaScript serverless computing platform by LogoKit

Serverless computing platforms are designed to help application developers build and run new apps without having to invest in infrastructure. They offer accessibility, ease of deployment and scalability — features that are also being leveraged by phishing gangs as they hide behind a legitimate domain. 

Barracuda’s threat analysts have recently seen the LogoKit PhaaS exploit a serverless platform designed to run small JavaScript or TypeScript snippets in the cloud.

The platform allows the use of public URLs and immediate deployment from a code snippet, which further simplifies the process for attackers.

The attacks seen by Barracuda begin with a crafted email that impersonates Roundcube Webmail, claiming that the recipient’s password is about to expire. If the recipient clicks the “Keep my password” button, it redirects them to a phishing site. The malicious content is hosted on the serverless platform.

LogoKit tailors the attack by dynamically customizing itself based on the victim’s email domain.

Creating a phishing URL on the abused site is extremely simple — attackers can deploy just a few lines of JavaScript or TypeScript to instantly generate a live, shareable URL as shown below, with minimal setup. 

The abuse of website creation and productivity tools by EvilProxy

Barracuda threat analysts recently detected the EvilProxy phishing kit exploiting both a popular website creation tool and a visual productivity tool.

In the first instance, the attackers send a phishing email that asks the victim to click on the button to open the document. In fact, the entire email is a single image that is embedded with the link that takes the victim to website building site.

In the second example, the attackers send targets an email with what looks like a OneDrive document, but the link embedded in the email actually goes to the productivity tool application.

In Brief

Google Translate as a trapdoor

Attackers are exploiting Google Translate's URL structure by encoding malicious domains to appear as subdomains of “translate.goog”. 

This is done by replacing the dots in the original domain with hyphens, a tactic that makes the URL look like a legitimate Google subdomain. To unsuspecting users, the link appears safe because it seems to be hosted under Google’s infrastructure.

The links often bypass email and web security filters since “.goog” domains are typically trusted by default, increasing the success rate of phishing campaigns.

Scammers target SendGrid users

A sophisticated phishing campaign is actively targeting Twilio SendGrid customers by using technical subject lines like “API Errors Affecting Email Delivery” and “Webhook Endpoint Not Responding” to trick developers and IT teams into clicking malicious links.

The attack mimics legitimate system alerts and becomes self-replicating — once a user’s credentials are stolen, the compromised SendGrid account is used to send more phishing emails from a trusted source. Because these accounts have valid email authentication (SPF and DKIM) records, the phishing emails often bypass security filters, making them appear authentic. The goal is to steal more credentials through fake login pages, creating a cycle of ongoing compromise within the SendGrid ecosystem.

Google Classroom and Meet a target for spammers and scammers

Attackers are exploiting trusted Google services like Classroom and Meet to launch large-scale spam and scam campaigns, primarily targeting users with fake “reseller” or money-making offers involving the sale of products or services.

These scams typically involve creating fake Google Classroom classes or sending mass Meet invites — often titled with random characters but framed to promote attractive marketing or income opportunities. The descriptions or invites include a WhatsApp number, prompting users to reach out.

At this point the actual scam unfolds into fraud or deceptive marketing schemes. By leveraging the credibility of Google’s platforms and shifting communication to

WhatsApp, attackers effectively bypass traditional security filters and lure victims into cross-platform fraud.

How Barracuda Email Protection can help your organization

Barracuda Email Protection offers a comprehensive suite of features designed to defend against advanced email threats.

It includes capabilities such as Email Gateway Defense, which protects against phishing and malware, and Impersonation Protection, which safeguards against social engineering attacks.

Additionally, it provides Incident Response and Domain Fraud Protection to mitigate risks associated with compromised accounts and fraudulent domains. The service also includes Cloud-to-Cloud Backup and Security Awareness Training to enhance overall email security posture.

Barracuda combines artificial intelligence and deep integration with Microsoft 365 to provide a comprehensive cloud-based solution that guards against potentially devastating, hyper-targeted phishing and impersonation attacks.

Further information is available here.