TA416 Resurfaces in Europe: PlugX, OAuth Phishing, and Diplomatic Targets

Has anyone else been tracking the latest TA416 (aka RedDelta) activity targeting European diplomatic entities? After what felt like a two-year hiatus in the region, they are back with a vengeance, leveraging their classic PlugX loader but increasingly relying on OAuth-based phishing to bypass MFA.

It's fascinating—and terrifying—how they've evolved the initial access vector. Instead of pure credential theft, they are abusing the OAuth authorization flow. Once the user consents, they get a token with persistent access without needing the password or 2FA every time.

I've been updating our detection stack to hunt for this. Here is a basic KQL query I'm running in Sentinel to catch high-risk OAuth consent grants, specifically looking for Permissions that include Mail.ReadWrite or Files.ReadWrite.All granted to recently registered or suspicious AppIds:

AuditLogs
| where Category == "ApplicationManagement"
| where OperationName == "Add OAuth2PermissionGrant" or OperationName == "Consent to application"
| extend AppId = tostring(TargetResources[0].ID),
         Permissions = tostring(TargetResources[0].ModifiedProperties[1].NewValue)
| where Permissions contains "ReadWrite.All" or Permissions contains "Mail.Read"
| project TimeGenerated, Caller, AppId, Permissions, Result
| order by TimeGenerated desc

Given PlugX's history of DLL side-loading, are you guys focusing purely on the OAuth proxy traffic, or are you still investing heavy resources into endpoint signatures for the loader itself?

How are your organizations handling the 'User Consent' risk? Are you blocking it entirely, or just relying on conditional access policies?