Phishing campaigns, cloud exploitation patterns, and software-level bypass techniques defined a busy week in security research — each reflecting a broader shift in how attackers are adapting to hardened infrastructure.
Wiz has warned that malicious OAuth applications are exploiting what the firm calls “consent fatigue” — the tendency of users to approve permission requests without scrutiny. According to the announcement, once a target clicks “Accept” on a rogue app designed to mimic a trusted brand, “the access token is sent to the attacker’s Redirect URL,” giving the attacker immediate access to files and emails without ever obtaining the user’s password. Wiz detected a large-scale campaign active in early 2025 involving 19 distinct OAuth applications impersonating Adobe, DocuSign, and OneDrive, targeting multiple organizations. Proofpoint documented the activity in August 2025.
Signal and WhatsApp Accounts Under Targeted Pressure
Russian-linked threat actors are pursuing the accounts of government officials, journalists, and military personnel across Signal and WhatsApp — not through cryptographic attacks, but through social engineering. The Netherlands Defence Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) confirmed that the most frequently observed method involves impersonating a Signal Support chatbot to extract security verification codes or PINs. A second technique exploits the “linked devices” function within both platforms to establish persistent access.
Signal described the campaigns as “sophisticated phishing campaigns, designed to trick users into sharing information — SMS codes and/or Signal PIN.” The warning follows a similar advisory issued by Germany the previous month, and aligns with Google‘s earlier observation that Signal’s use among Ukrainian soldiers, politicians, and journalists had made it a consistent target for Russian espionage operations.
Cloud Exploitation Shifts Toward Software Vulnerabilities
Google‘s cloud division has published findings showing a measurable change in how threat actors are gaining initial access to cloud environments. The report states that “the window between vulnerability disclosure and mass exploitation collapsed by an order of magnitude, from weeks to days.” Misconfiguration-based initial access fell from 29.4% of incidents in the first half of 2025 to 21% in the second half. Exposed sensitive UIs or APIs dropped further still, from 11.8% to 4.9% over the same period.
The firm attributes the decline to automated guardrails making identity and configuration errors harder to exploit, effectively pushing attackers toward software vulnerability exploitation as a primary entry vector. In most incidents Google investigated, the objective was described as silent, high-volume data exfiltration combined with long-term persistence — with no immediate extortion component.
More Read
Separately, new research from Quarkslab identified a method to bypass the 16-byte password protection required for debug access on several variants of a widely used hardware platform — adding a hardware-layer dimension to a week dominated by access control failures across software, identity, and human behavior alike.
The aggregate picture across these disclosures is consistent: automated defenses are closing off low-effort entry points, and attackers are responding by targeting the layers — human trust, application permissions, and unpatched software — where automation offers less coverage.
Photo by Pixabay
This article is a curated summary based on third-party sources. Source: Read the original article
