Polishing Old Tactics: Unpacking the Latest OAuth Traps, EDR Killers, and AI Platform Breaches

If there is one constant in the cybersecurity landscape, it is that attackers rarely discard a working tool—they simply polish it. This week’s threat intelligence highlights a disturbing trend: the refinement of "old school" attack vectors into highly effective, modern weapons.

From sophisticated OAuth manipulation and "EDR Killer" utilities to leveraging encrypted messaging apps like Signal for phishing and exploiting the chaos of AI platform integration, the threat landscape is evolving. At Security Arsenal, we believe that understanding the mechanics of these polished threats is the first step toward a robust defense.

The Attack Vectors: A Deep Dive

1. The OAuth Trap: Consent is the New Credential

The era of simply brute-forcing passwords is waning, replaced by the more insidious "OAuth Trap." In this scenario, attackers do not steal credentials; they steal consent. By registering a malicious application with a cloud provider (often masquerading as a legitimate productivity tool), attackers trick users into granting permissions via a seemingly standard login page.

Once the user clicks "Accept," the attacker receives a valid access token. This token grants the application access to data (mail, files, contacts) without ever triggering a MFA challenge, because the user is the authentication factor.

2. EDR Killers: The BYOVD Resurgence

Endpoint Detection and Response (EDR) systems have become the standard for visibility, but threat actors are fighting back with "EDR Killer" tools. A prevalent technique involves "Bring Your Own Vulnerable Driver" (BYOVD).

In these attacks, adversaries load a legitimate, signed driver containing a known vulnerability into the Windows kernel. They exploit this vulnerability to disable the EDR's kernel callbacks or terminate the security processes entirely. Because the driver is digitally signed, it often bypasses driver enforcement policies, allowing the attacker to operate "under the radar" before deploying the final payload, such as a ransomware encryptor.

3. Zombie ZIPs and Signal Phishing

We are also seeing a resurgence of "Zombie ZIP" archives—malicious files that exploit path traversal vulnerabilities or obscure nested structures to deliver malware when an archive tool attempts to preview them. Coupled with this is the rise of Signal phishing, where attackers use the encrypted messaging platform to deliver lures, bypassing traditional email filtering mechanisms that focus on SMTP traffic.

4. AI Platform Hacks

As organizations rush to integrate AI, attackers are finding seams in these new platforms. Recent incidents involve prompt injection attacks designed to exfiltrate proprietary data or abusing API keys to hijack compute resources for crypto-mining operations.

Detection and Threat Hunting

To catch these polished threats, you need to move beyond static signatures and hunt for behaviors. Below are specific queries for your SOC to run.

Hunting for Rogue OAuth Consent Grants

Use this KQL query in Microsoft Sentinel to identify users granting high-risk permissions to recently registered applications.

AuditLogs
| where OperationName == "Add delegated permission grant" or OperationName == "Consent to application"
| extend AppId = tostring(TargetResources[0].id)
| extend AppDisplayName = tostring(TargetResources[0].displayName)
| extend Permissions = tostring(TargetResources[0].modifiedProperties[1].newValue)
| where Permissions contains "RoleManagement.ReadWrite.All" 
   or Permissions contains "Directory.ReadWrite.All" 
   or Permissions contains "Mail.ReadWrite"
| project TimeGenerated, Caller, AppDisplayName, AppId, Permissions, Result
| order by TimeGenerated desc

Detecting EDR Tampering (BYOVD)

Monitor for the loading of known vulnerable drivers or processes attempting to terminate security services. This PowerShell script can be used on endpoints to check for the recent loading of specific high-risk drivers often used in BYOVD attacks.

# Check for loaded drivers associated with common BYOVD vulnerabilities
$VulnerableDrivers = @("RTCore64.sys", "DBUtil_2_3.sys", "gdrv.sys")

Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Kernel-PnP'} -MaxEvents 1000 |
Where-Object {$_.Message -match 'Device installed'} |
ForEach-Object {
    $eventXml = [xml]$_.ToXml()
    $driverName = $eventXml.Event.UserData.DeviceInstallString
    
    foreach ($badDriver in $VulnerableDrivers) {
        if ($driverName -like "*$badDriver*") {
            Write-Host "ALERT: Vulnerable driver loaded: $driverName" -ForegroundColor Red
            Write-Host "Time: $($_.TimeCreated)"
        }
    }
}

Identifying Malicious Archive Activity (Zombie ZIP)

Hunt for suspicious child processes spawned by archive utilities like WinRAR or 7-Zip. Legitimate users extract files; malware authors spawn shells immediately after extraction.

DeviceProcessEvents
| where InitiatingProcessFileName in~ ("winrar.exe", "7zFM.exe", "winzip64.exe")
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "mshta.exe", "regsvr32.exe")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, CommandLine, SHA256
| order by Timestamp desc

Mitigation Strategies

Stopping these threats requires a layered approach:

1. Hardening OAuth: Implement "Admin Consent" requirements for application registration. Disable user consent for apps that access sensitive data. Utilize Microsoft Entra ID's "Consent Grant" detection workflows.
2. Driver Blocklist: Enforce a vulnerable driver blocklist (HVCI) and ensure Memory Integrity is enabled on all endpoints to mitigate BYOVD attacks.
3. Network Segmentation: restrict the ability of endpoints to communicate directly with non-corporate messaging infrastructure (like Signal's API servers) unless a specific business case exists.
4. AI Governance: Treat AI API keys like secrets. Rotate them regularly and implement strict usage monitoring to detect anomalous token consumption.

The attackers are polishing their tools, and so must we. By hunting for the behavioral artifacts of these attacks—rather than just the files—you can stay ahead of the curve.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub