OAuth token phishing
Engine-driven compliance rail for OAuth consent-phish → long-lived token replay against SaaS tenant on the Energy & Utilities protect-surface layout. Step controls cycle through the engine's Trust-Failure chain; each step shows the in-scope provisions the failure implicates and, where a regulatory clock applies, the obligation diamond.
step 01 / 06
step 01TF1speculativeATT&CK T1566.002
stage 1
Adversary delivers a phishing link prompting OAuth consent for an attacker-controlled application against the victim's SaaS tenant. (Phishing surface itself is not directly observed in AA24-057A; the advisory observes the downstream token-use phase.)
mitigating controls
ztna-gateway
in-scope provisions (6)
- partialCIP-013-2 R1 — Supply chain cyber security risk management plan
- partialID.AM-01 — Asset Management
- partialID.AM-02 — Asset Management
- partialID.AM-03 — Asset Management
- partialID.AM-04 — Asset Management
- partialID.AM-05 — Asset Management
obligation
no regulatory clock for this step
- 01Initial Accessemail-svcA spear-phishing email bypasses email security filters using a typosquatted sender domain. The user receives what appears to be an internal HR notification.
- 02Executiongoogle-workspaceUser clicks the embedded link in Gmail. OAuth consent screen prompts grant of "read mail" scope to a malicious third-party app posing as a benefits portal.
- 03PersistencelaptopsDrive-by download installs an info-stealer on the user’s laptop. EDR rules are evaded via process-hollowing of a legitimate browser binary.
- 04Lateral MovementcrmStolen session cookie is replayed against Salesforce. MFA is bypassed because the session token already proved possession. API exports begin.
- 05Exfiltrationcustomer-piiCustomer PII (names, emails, partial card data) is exfiltrated via Salesforce’s Data Loader API in 50k-row chunks to a C2 bucket. Game over.