A mid-sized business in Delaware Valley, PA recently experienced a security breach when an employee unknowingly approved a malicious enterprise application. This granted hackers access to the employee’s email account, allowing them to send over 1,000 phishing emails impersonating the company.
The Challenge: A Sophisticated Cyberattack
The phishing emails contained a fraudulent RSVP link leading to a fake event page designed to steal login credentials. Because the link appeared to be hosted on a trusted platform, recipients were more likely to interact with it—putting their own accounts at risk.
This attack posed three major risks:
- Reputation Damage – The company’s name was used in fraudulent emails, potentially harming relationships with clients and employees.
- Operational Disruption – The affected employee lost access to their account, requiring immediate IT intervention.
- Security Concerns – If recipients clicked the link and entered their credentials, they could have exposed their accounts to hackers, escalating the breach further.
Would Your Employees Recognize This Sophisticated Phishing Attack? Learn more about how Phishing Simulations can prevent costly mistakes.
How KPI Responded
Tim Mazur, KPI’s cybersecurity expert, described the team’s concern as twofold:
- How far had the attack spread? KPI had to quickly determine if this was an isolated incident or if multiple accounts had been compromised.
- Could there be long-term consequences? If customers or employees had clicked the link and entered their credentials, their accounts could also be at risk, leading to an even bigger security breach.
KPI took immediate action to contain and eliminate the threat:
- Identified and removed the malicious app that granted hackers’ access.
- Secured the employee’s login by resetting their password and revoking unauthorized access.
- Shut down the phishing page – KPI worked with RSVPify to report and successfully take down the fraudulent event page.
- Updated security settings – KPI implemented policies in Microsoft Entra ID to prevent employees from approving unverified applications in the future.
How the Attack Happened: The Role of OAuth
This attack did not rely on the usual phishing techniques that steal passwords. Instead, it exploited OAuth phishing, a sophisticated method where an attacker tricks a user into granting access to a malicious third-party application.
OAuth is a legitimate framework that allows users to sign into services or grant permissions to applications without sharing their passwords. In this case, the hacker convinced the employee to approve a fraudulent enterprise app (eM Client), which gave them full control over the employee’s email account—without ever needing a password.
Tim explained why the attack was so effective:
“The phishing emails looked legitimate and directed users to an RSVPify-hosted page, a well-known and trusted platform. Because RSVPify is widely used for event registrations, recipients were more likely to trust the link and click on it.”
What Could Have Been Done Differently?
Reflecting on the incident, KPI identified a few key areas where stronger security measures could have prevented the attack:
- Employee Awareness Training: If the employee had known to be skeptical of unexpected app approval requests, they might have declined it.
- Stronger Email Security Tools: If the company had CyberCare Ultimate, they would have Proofpoint Advanced Email Protection, which may have flagged or blocked the phishing email before it ever reached an inbox.
- Restricting App Approvals: KPI follows a best practice policy of blocking unauthorized third-party applications by default, allowing only explicitly approved apps. However, this incident revealed an unexpected behavior in Azure’s security settings—while KPI’s policies were correctly implemented, Microsoft’s system did not automatically extend the block to Azure-based applications. KPI swiftly identified this gap and took corrective action to ensure the client’s security settings fully enforced app restrictions
The Results: Securing the Business and Reducing Risk
- Prevented further compromise by shutting down the phishing campaign before it spread.
- Strengthened security policies to ensure app restrictions were correctly enforced.
- Minimized operational downtime so employees could resume work quickly.
Key Takeaways for Business Owners
This case demonstrates how modern cyber threats exploit human error and app permissions, rather than just relying on traditional fake login pages.
- Why it worked: The phishing emails used a well-known platform, making them appear legitimate.
- What businesses can do: Invest in employee security training and enforce strict app approval policies.
- How KPI helps: We continuously monitor security risks and educate teams to defend against evolving cyber threats.
Are your security policies strong enough to prevent this type of attack? Let’s talk about how KPI can help protect your business.