Voice Scammers Are Now Stealing Your Work App Access. Here's What to Do
A major hacking group is calling employees and tricking them into handing over access to work accounts. Microsoft says it's already targeting companies worldwide.
Source
GetCyberRight Intelligence
Original headline: ShinyHunters OAuth Vishing Campaign
Plain-English summary by GetCyberRight. Read the full report at the source above.
What Just Happened
Microsoft has confirmed that ShinyHunters, a notorious hacking group, is calling employees and pretending to be IT support to steal access to work applications. They're specifically after OAuth tokens, which are digital keys that keep you logged into apps like Microsoft 365, Google Workspace, Slack, and other business tools. This isn't a random attack. It's a coordinated campaign targeting professionals across multiple industries.
The Details
Here's how these criminals operate. They call you at work, claiming to be from your IT department or the company that provides your work software. They sound professional and often have real details about your company to seem legitimate. Then they create urgency, saying there's a security issue or your account will be locked. Their goal is to trick you into approving a login request or sharing a code from your authenticator app.
What makes this attack particularly dangerous is what they're stealing. OAuth tokens are different from passwords. They're the invisible keys that keep you logged into your work apps even after you've entered your password. Once criminals have these tokens, they can access your accounts without needing your password at all. They bypass your two-factor authentication entirely because the system thinks they're already you.
The voice element makes this scam more convincing than typical phishing emails. People naturally trust phone calls more than suspicious emails. The scammers exploit this trust, combining social pressure with technical-sounding language to make you act before thinking.
Who Is Affected
This campaign primarily targets professionals who use cloud-based work applications. If you log into Microsoft 365, Google Workspace, Salesforce, or similar tools for your job, you're a potential target. Remote workers are especially vulnerable because they're already accustomed to IT support happening over the phone rather than in person.
Small and medium-sized businesses face heightened risk. These organizations often lack dedicated security teams to warn employees about emerging threats. ShinyHunters knows this and specifically targets companies where security awareness might be lower.
What You Should Do Right Now
Establish a verification rule: Never approve login requests or share codes during unexpected calls. Tell the caller you'll contact IT directly using a number from your company directory, then hang up and do exactly that.
Stay one step ahead of scammers
Weekly cybersecurity briefings for families. No spam, just the threats that matter and what to do about them.
Review your active sessions: Go into your Microsoft 365, Google, Slack, and other work app settings. Look for active sessions or devices you don't recognize. Sign out of everything except your current device.
Enable security notifications: Turn on alerts in your work accounts that notify you whenever someone logs in from a new device or location. This gives you early warning of unauthorized access.
Talk to your IT department: Ask them to send a company-wide message about this threat. Request clear instructions on how legitimate IT support will contact employees and what they'll never ask for over the phone.
Check your authentication app: If you use an authenticator app for work, review the accounts connected to it. Remove any you don't recognize or no longer use.
The Bigger Picture
This campaign represents a troubling evolution in cybercrime. Criminals are moving beyond automated phishing emails to personalized phone calls that exploit human psychology. As companies adopt more cloud services and remote work becomes permanent, these voice-based attacks will only increase. Staying informed about new tactics isn't optional anymore. It's essential for protecting your livelihood and your employer's data.
How GetCyberRight Can Help
Our GCR Scam Guard tool helps you verify suspicious login requests before you respond to them. When you receive an unexpected call or message asking you to approve a login, Scam Guard can help you identify red flags and walk you through proper verification steps. It's designed to give you confidence in the moment, when pressure tactics work best against us. Think of it as having a cybersecurity expert looking over your shoulder during those critical few seconds when scammers try to rush you into a mistake.
Curated from trusted cybersecurity sources by GetCyberRight
Source: GetCyberRight IntelligenceStay ahead of cyber threats
Get our free weekly digest. Real threats, plain language, what to do about them. No spam, ever.
More articles
US Sanctions VPN Service That Helped Criminals Attack Hospitals and Schools
The US government sanctioned a VPN provider for helping ransomware gangs hide attacks on critical infrastructure. Here's what families need to know.
4 min readCriminal VPN Service Sanctioned for Helping Ransomware Attacks
The US Treasury sanctioned a VPN provider used by ransomware gangs to attack hospitals, schools, and cities while hiding their identities.
4 min readJapan's Largest Taxi Operator Shuts Down After Cyberattack
Nihon Kotsu forced offline to contain breach, affecting thousands. What small businesses can learn from this infrastructure attack.
3 min read
EU Plans to Ban Social Media for Kids Under 13: What Parents Need to Know
European leaders are building consensus to ban social media access for children under 13. Here's what this shift means for your family and what to do now.
3 min read