Telephone: 1-844-NETIZEN
Tel: 1-844-NETIZEN
Email: team (at) Netizen.net
slider

Netizen: Monday Security Brief (4/21/2024)

Posted on 21 Apr 2025 at https://www.Netizen.net/news Source Link: https://blog.netizen.net

Today’s Topics:

  • Phishers Exploit Google OAuth to Send DKIM-Valid Spoofed Emails
  • Microsoft Entra Admins Hit by Widespread Lockouts Linked to New Credential Detection App
  • How can Netizen help?

Phishers Exploit Google OAuth to Send DKIM-Valid Spoofed Emails

Hackers have found a way to exploit Google’s OAuth infrastructure to send fake emails that pass DKIM authentication—making them appear legitimate even when they point to malicious phishing pages hosted on Google’s own services.

The attack centers around what’s known as a DKIM replay, where a legitimate, signed email generated by Google is forwarded to a victim after being crafted to include deceptive content. Security researcher Nick Johnson, lead developer of Ethereum Name Service (ENS), detailed the scheme after receiving a suspicious Google security alert claiming his account data was requested by law enforcement. The message passed all authentication checks and was filed alongside real security notifications in his inbox.

What made the email suspicious was its link to a “support portal” hosted on Google Sites—not the expected accounts.google.com domain. The page was an exact replica of Google’s login interface, built to harvest credentials. Its presence on a trusted Google domain made it harder for users to detect the fraud.

The real trick was how the email passed DKIM verification. Johnson discovered that the attacker had created a Google account under the address me@[attacker-domain] and then built a deceptive OAuth app. The app’s name contained the entire phishing message, padded with whitespace to hide Google’s security alert about the app being granted inbox access. When the attacker authorized the app, Google automatically emailed a notification to their own inbox. That alert—signed with Google’s DKIM keys—was then forwarded to victims.

Because DKIM only validates the message body and headers (not the SMTP envelope), the forged email appeared to come from no-reply@google.com and passed standard email security checks like SPF and DKIM. Johnson noted that Gmail’s UI showed the email as if it were sent to the victim directly, due to the clever use of the “me@” username format.

Email security firm EasyDMARC later confirmed the technical details of the attack and labeled it a textbook example of how DKIM replay can be abused.

This isn’t the first instance of the tactic. In March, BleepingComputer reported a similar scheme using PayPal’s infrastructure. In that case, the attacker abused the “gift address” field when linking an alternate email to a PayPal account. They inserted the phishing message into a second field, prompting PayPal to send a legitimate confirmation message that was then forwarded to a list of potential victims.

Initially, Google claimed that the behavior was working as designed. However, after further review, the company acknowledged the abuse potential and has since begun working on mitigations to prevent this kind of OAuth-based spoofing from continuing.

Microsoft Entra Admins Hit by Widespread Lockouts Linked to New Credential Detection App

A sudden wave of account lockouts across Microsoft Entra ID environments is being tied to the rollout of a new security feature called MACE Credential Revocation. Starting on the evening of April 18, Windows administrators began reporting mass lockouts affecting user accounts across numerous tenants, with no evidence of actual compromise.

Microsoft Entra ID, formerly Azure Active Directory, serves as Microsoft’s cloud identity and access platform. It underpins user authentication and access control for millions of organizations. However, a recent behind-the-scenes update to its credential leak detection functionality appears to have caused serious disruptions for IT teams and managed service providers (MSPs) worldwide.

According to a fast-growing Reddit thread, organizations received hundreds or even thousands of “leaked credentials” alerts from Microsoft Entra, locking out affected users automatically. The volume and timing of the notifications led many to suspect a misfire.

“About 1/3 of our accounts got locked out about ~1 hour ago,” wrote one MSP admin. “We’re a MSP so I’m assuming this is happening to our clients as well.”

Despite Microsoft’s systems flagging leaked credentials, administrators reported no corresponding signs of compromise—no suspicious login attempts, no credential reuse, and no matches in external breach notification tools like Have I Been Pwned. Many of the locked accounts were protected by multifactor authentication (MFA), adding to the suspicion that the alerts were false positives.

One managed detection and response (MDR) provider said they received more than 20,000 leaked credential alerts from Microsoft overnight, all stemming from various customer tenants.

Several admins who reached out to Microsoft were told the issue stemmed from the rollout of a new Microsoft Entra Enterprise Application: MACE Credential Revocation.

“Just got off with [a Microsoft] engineer. It is Tenant Lockout due to this MACE ninja rollout they did. No signs of compromise,” wrote one affected user. “It was Error Code: 53003 for conditional access policy.”

Multiple admins confirmed that the MACE Credential Revocation app appeared in their tenants shortly before the lockouts began. MACE is designed to detect leaked credentials—such as those discovered on the dark web—and enforce account protections automatically, including revocation of access and credential resets.

The problem appears to lie not with the goal of MACE, but in the accuracy of its detection logic during rollout. The sudden spike in lockouts—with no corresponding threat telemetry—suggests a faulty integration or misconfigured detection threshold.

As of April 20, Microsoft has not issued an official statement about the incident. Administrators are urging caution and advising others to verify any credential alerts before assuming compromise, especially if the alerts arrived in bulk.

While security teams are generally advised to treat any leaked credential notification seriously, the volume and context of these alerts have led many to classify the event as a Microsoft-driven incident rather than a coordinated attack.

Until Microsoft clarifies the situation, admins are left relying on peer reports and case-by-case escalations to Microsoft support.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

News and Updates

Sign up to get the latest news and threat briefs:

Get in Touch

Telephone: 1-844-NETIZEN
Email: Team (at) Netizen.net
Office Locations:
Allentown, PA (Headquarters)
 Arlington, VA (DC Region)
 Charleston, SC (Southeast Region)

Connect With Us

    Facebook
    Twitter
    LinkedIn
    Instagram
    GitHub
    YouTube

Copyright © Netizen Corporation. All Rights Reserved.