attack-path / energy & utilities / oauth-token-phish

OAuth token phishing

Engine-driven compliance rail for OAuth consent-phish → long-lived token replay against SaaS tenant on the Energy & Utilities protect-surface layout. Step controls cycle through the engine's Trust-Failure chain; each step shows the in-scope provisions the failure implicates and, where a regulatory clock applies, the obligation diamond.

resolved atEnergy & Utilities · OT cell (Purdue Model) · Remote user opens a SaaS application
step 01TF1speculativeATT&CK T1566.002
stage 1

Adversary delivers a phishing link prompting OAuth consent for an attacker-controlled application against the victim's SaaS tenant. (Phishing surface itself is not directly observed in AA24-057A; the advisory observes the downstream token-use phase.)

mitigating controls
ztna-gateway
in-scope provisions (6)
  • partialCIP-013-2 R1 — Supply chain cyber security risk management plannerc-cipdisc:highpendingEvidence
  • partialID.AM-01 — Asset Managementnist-csf-2-0disc:highpendingEvidence
  • partialID.AM-02 — Asset Managementnist-csf-2-0disc:highpendingEvidence
  • partialID.AM-03 — Asset Managementnist-csf-2-0disc:highpendingEvidence
  • partialID.AM-04 — Asset Managementnist-csf-2-0disc:highpendingEvidence
  • partialID.AM-05 — Asset Managementnist-csf-2-0disc:highpendingEvidence
obligation
no regulatory clock for this step
protect-surface storyline (DAAS cards)
  1. 01
    Initial Access
    email-svc
    A spear-phishing email bypasses email security filters using a typosquatted sender domain. The user receives what appears to be an internal HR notification.
  2. 02
    Execution
    google-workspace
    User clicks the embedded link in Gmail. OAuth consent screen prompts grant of "read mail" scope to a malicious third-party app posing as a benefits portal.
  3. 03
    Persistence
    laptops
    Drive-by download installs an info-stealer on the user’s laptop. EDR rules are evaded via process-hollowing of a legitimate browser binary.
  4. 04
    Lateral Movement
    crm
    Stolen session cookie is replayed against Salesforce. MFA is bypassed because the session token already proved possession. API exports begin.
  5. 05
    Exfiltration
    customer-pii
    Customer PII (names, emails, partial card data) is exfiltrated via Salesforce’s Data Loader API in 50k-row chunks to a C2 bucket. Game over.