{
	"id": "e9a7452c-5a35-4f49-a330-5f9dad2e8411",
	"created_at": "2026-04-06T00:10:51.588545Z",
	"updated_at": "2026-04-10T13:12:02.480047Z",
	"deleted_at": null,
	"sha1_hash": "3755aa6eda00b643b57bf7dfdcdaabbb6f5050a0",
	"title": "Pawn Storm Abuses OAuth In Social Engineering Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62923,
	"plain_text": "Pawn Storm Abuses OAuth In Social Engineering Attacks\r\nBy By: Feike Hacquebord Apr 25, 2017 Read time: 3 min (841 words)\r\nPublished: 2017-04-25 · Archived: 2026-04-05 19:17:31 UTC\r\nPawn Storm is an active and aggressive espionage actor group that has been operating since 2004. The group uses\r\ndifferent methods and strategies to gain information from their targets, which are covered in our latest\r\nresearchnews article. However, they are particularly known for dangerous credential phishing campaigns. In 2016,\r\nthe group set up aggressive credential phishing attacks against the Democratic National Convention (DNC),\r\nGerman political party Christian Democratic Union (CDU), the parliament and government of Turkey, the\r\nparliament of Montenegro, the World Anti-Doping Agency (WADA), Al Jazeera, and many other organizations.\r\nThis blog post discusses how Pawn Storm abused Open Authentication (OAuth) in advanced social engineering\r\nschemes. High profile users of free webmail were targeted by campaigns between 2015 and 2016.\r\nHow is OAuth abused?\r\nOAuth is a way of authorizing third party applications to login to users’ online accounts for social media sites,\r\ngaming sites, and services like free webmail. The big advantage is that users don’t have to reveal their password;\r\ninstead, the third party applications get a token that can be used for authentication.\r\nWhile OAuth offers convenience and can be usefully applied in different ways, it may also expose the user to\r\nrisks. Threat actors can get through the background checks that service providers do before authorizing\r\napplications for OAuth use. These actors can then integrate OAuth into advanced social engineering schemes.\r\nSome internet service providers only require an email address and a website for third party applications to use\r\nOAuth. Because of these policies, experienced actor groups like Pawn Storm can take advantage of OAuth for\r\ntheir credential phishing schemes.\r\nintel\r\nFigure 1. The sequence of Pawn Storm's OAuth abuse\r\nA dissection of Pawn Storm OAuth attacks\r\nIn these attacks a user would get a message like this:\r\nintel\r\nFigure 2. A phony email from Pawn Storm\r\nThe email poses as an advisory from Gmail and prompts potential victims to install an “official” application called\r\n“Google Defender”. Normally an internet user will know better than to readily install an application that wasn't\r\nasked for.\r\nIf the user clicks on the link, it will lead to a page on accounts.google.com that looks like this:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks\r\nPage 1 of 3\n\nintel\r\nFigure 3. A request to grant access from “Google Defender”\r\nAt this point, the user is faced with a legitimate Google site—since all OAuth approvals are done on the site of the\r\nservice provider—but the application itself is part of a phishing scheme.\r\n“Google Defender” is actually a third party application made by Pawn Storm. After abusing the screening process\r\nfor OAuth approvals, Pawn Storm’s rogue application operates like every other app accepted by the service\r\nprovider. If the user falls for the scam and clicks the “Allow” button, an OAuth token is provided to the app,\r\ngiving Pawn Storm semi-permanent access to the target’s mailbox.\r\nApart from targeting Gmail users, Pawn Storm has also abused OAuth in credential phishing attacks against high\r\nprofile Yahoo users. Here is an example from 2015 where “McAfee Email Protection” is offered.\r\nintel\r\nFigure 4. A convincing Yahoo phishing email\r\nClicking on the “Try McAfee Email Protection” button would lead to this legitimate website:\r\nintel\r\nFigure 5. This gives the third party app OAuth access\r\nHowever the application is not a service of Yahoo or a legitimate product of McAfee, but a rogue application used\r\nby Pawn Storm. Clicking on the “Agree” button would give Pawn Storm an OAuth token and access to the targets’\r\nmailbox. The group then gains access to the mailbox until the token gets revoked by the service provider or the\r\ntarget.\r\nPawn Storm apparently had some success with this type of attack as it kept sending this kind of social lure during\r\nthe end of November and the first half of December 2015, as indicated in the next figure.\r\nintel\r\nFigure 6. Overview of Pawn Storm’s Yahoo credential phishing campaigns. The blue boxes indicate when Pawn\r\nStorm used OAuth lures while red boxes indicate other phishing email strategies\r\nOAuth enhances the user experience on the web. For example, by allowing social networks access to your\r\nwebmail contact list, it is easier to find friends who are subscribed to the same social network. But while we\r\nbelieve that internet service providers have enhanced security checks of applications that are allowed to use\r\nOAuth, internet users are urged to never accept OAuth token requests from an unknown party or a service they did\r\nnot ask for. Regularly review the applications you have granted access to your mailbox in the security settings of\r\nyour free webmail or social media service. In case you see a suspicious application immediately revoke the OAuth\r\ntoken.\r\nThese are known rogue applications of Pawn Storm that have been used in credential phishing attacks against high\r\nprofile users (variants of these names are likely to have been used by Pawn Storm as well):\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks\r\nPage 2 of 3\n\nFor more information about Pawn Storm, check out From Espionage to Cyber Propaganda: Pawn Storm's\r\nActivities over the Past Two Yearsnews article.\r\nTags\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attac\r\nks\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks"
	],
	"report_names": [
		"pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab",
			"created_at": "2022-10-25T16:07:24.212584Z",
			"updated_at": "2026-04-10T02:00:04.900038Z",
			"deleted_at": null,
			"main_name": "Sofacy",
			"aliases": [
				"APT 28",
				"ATK 5",
				"Blue Athena",
				"BlueDelta",
				"FROZENLAKE",
				"Fancy Bear",
				"Fighting Ursa",
				"Forest Blizzard",
				"G0007",
				"Grey-Cloud",
				"Grizzly Steppe",
				"Group 74",
				"GruesomeLarch",
				"ITG05",
				"Iron Twilight",
				"Operation DealersChoice",
				"Operation Dear Joohn",
				"Operation Komplex",
				"Operation Pawn Storm",
				"Operation RoundPress",
				"Operation Russian Doll",
				"Operation Steal-It",
				"Pawn Storm",
				"SIG40",
				"Sednit",
				"Snakemackerel",
				"Sofacy",
				"Strontium",
				"T-APT-12",
				"TA422",
				"TAG-0700",
				"TAG-110",
				"TG-4127",
				"Tsar Team",
				"UAC-0028",
				"UAC-0063"
			],
			"source_name": "ETDA:Sofacy",
			"tools": [
				"ADVSTORESHELL",
				"AZZY",
				"Backdoor.SofacyX",
				"CHERRYSPY",
				"CORESHELL",
				"Carberp",
				"Computrace",
				"DealersChoice",
				"Delphacy",
				"Downdelph",
				"Downrage",
				"Drovorub",
				"EVILTOSS",
				"Foozer",
				"GAMEFISH",
				"GooseEgg",
				"Graphite",
				"HATVIBE",
				"HIDEDRV",
				"Headlace",
				"Impacket",
				"JHUHUGIT",
				"JKEYSKW",
				"Koadic",
				"Komplex",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LoJack",
				"LoJax",
				"MASEPIE",
				"Mimikatz",
				"NETUI",
				"Nimcy",
				"OCEANMAP",
				"OLDBAIT",
				"PocoDown",
				"PocoDownloader",
				"Popr-d30",
				"ProcDump",
				"PythocyDbg",
				"SMBExec",
				"SOURFACE",
				"SPLM",
				"STEELHOOK",
				"Sasfis",
				"Sedkit",
				"Sednit",
				"Sedreco",
				"Seduploader",
				"Shunnael",
				"SkinnyBoy",
				"Sofacy",
				"SofacyCarberp",
				"SpiderLabs Responder",
				"Trojan.Shunnael",
				"Trojan.Sofacy",
				"USB Stealer",
				"USBStealer",
				"VPNFilter",
				"Win32/USBStealer",
				"WinIDS",
				"Winexe",
				"X-Agent",
				"X-Tunnel",
				"XAPS",
				"XTunnel",
				"Xagent",
				"Zebrocy",
				"Zekapab",
				"carberplike",
				"certutil",
				"certutil.exe",
				"fysbis",
				"webhp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434251,
	"ts_updated_at": 1775826722,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3755aa6eda00b643b57bf7dfdcdaabbb6f5050a0.pdf",
		"text": "https://archive.orkl.eu/3755aa6eda00b643b57bf7dfdcdaabbb6f5050a0.txt",
		"img": "https://archive.orkl.eu/3755aa6eda00b643b57bf7dfdcdaabbb6f5050a0.jpg"
	}
}