Notifications
Clear all
Topic starter
27/06/2026 1:54 pm
TL;DR: 2025 phishing campaigns abused DKIM replay, OAuth consent flows, lookalike domains, and fabricated threads to make malicious email look legitimate while still bypassing SPF, DKIM, DMARC, or MFA controls, according to Abnormal AI. The lesson is that trust signals alone no longer prove intent, so identity, mailbox, and consent governance must be treated as one control surface.
NHIMG editorial — based on content published by Abnormal AI: Key Insights on the phishiest email attacks of 2025
Questions worth separating out
Q: How should security teams handle authenticated phishing that passes SPF, DKIM, and DMARC?
A: Security teams should treat authenticated delivery as a starting signal, not proof of legitimacy.
Q: Why do OAuth consent grants create persistent identity risk?
A: OAuth consent grants can outlive the event that created them, which means attackers may keep mailbox or API access after a password reset.
Q: What breaks when teams rely on procedural legitimacy to approve requests?
A: What breaks is the assumption that a coherent story equals a genuine relationship.
Practitioner guidance
- Treat OAuth consent as privileged access Inventory every consented application, map granted scopes to mailbox and data permissions, and revoke grants that do not have an active business owner or a current use case.
- Add behavioural checks to authenticated mail Correlate sender history, message intent, link destination, and thread continuity before relying on SPF, DKIM, DMARC, or ARC pass results.
- Review mailbox access after password resets Assume password resets do not remove delegated access and check for persistent API access, token grants, and approved applications immediately after an incident.
What's in the full article
Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:
- Exact lure construction for the DKIM replay and how the OAuth app name was used as the malicious payload carrier
- Step-by-step behaviour of the Flask-based credential theft kit, including the crawler blocking and verification flow
- The specific consent-abuse path used by the fake Teams invite campaign, including how persistent mailbox access was retained
- The invoice-fraud thread characteristics and the signal differences the vendor used to distinguish it from normal business mail
👉 Read Abnormal AI's analysis of the phishiest email attacks of 2025 →
Authenticated phishing lures: what email and IAM teams need to know?
Explore further
27/06/2026 3:25 pm
Authenticated email is not a trust verdict. SPF, DKIM, DMARC, and ARC verify parts of the transport story, but they do not verify the intent of the message or the legitimacy of the request. These campaigns worked because attackers turned accepted trust markers into delivery vehicles for deception. Practitioners should stop treating authentication pass rates as a proxy for message safety.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Another finding from the same research shows that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when a malicious OAuth app keeps reading mail after a password reset?
A: Accountability sits with the organisation that granted and failed to govern the permission, not just with the user who clicked consent. The app should be treated as an identity with scope, ownership, and revocation rules. Frameworks that govern privileged access and lifecycle reviews are directly relevant because the grant behaves like standing access.
👉 Read our full editorial: Authenticated phishing lures expose the limits of email trust signals
