The subject line said vendor qualification review. The body said ACH remittance advice. That mismatch was the first signal something was wrong, but it was not the payload. The payload was inside the attachment: a nested .eml file containing a Microsoft OAuth authorize URL crafted to silently steal an application access token from the specific recipient. This was consent phishing delivered through a multi-layer obfuscation chain.
The outer message was sent from admin@hungarofood[.]hu through Amazon SES infrastructure at IP 54[.]240[.]8[.]42. SPF passed. DKIM passed for both hungarofood[.]hu and amazonses[.]com. DMARC passed. By every authentication measure, the message was legitimate.
But the Reply-To pointed to gary@turchco[.]com, a completely different domain. Responses would never reach the apparent sender. The From, Reply-To, and Return-Path each referenced different domains, a pattern that should trigger identity-mismatch detection but often does not when each individual domain passes its own authentication checks.
The attachment, named Dart-Remittance-Service-Agreement-nlwz-4891Eml.eml, contained a nested message from Account@account[.]com with a single high-value link:
hxxps://login[.]microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id=e0480c25-5026-4692-bcfe-ca3d98fb25fe&prompt=none&scope=openid&state=Y2hyaX...
Three details made this link dangerous. First, the client_id referenced an unregistered third-party application, not a known Microsoft or enterprise app. Second, prompt=none instructed the identity provider to skip the consent screen and attempt silent token issuance. If the recipient had an active browser session, the attacker could receive an access token without any user interaction. Third, the state parameter base64-decoded to the recipient's exact email address, confirming this was not a mass campaign but a targeted attack personalized to a specific mailbox.
The click chain also included redirect URLs on guzeldagenerji[.]com[.]tr, a Turkish energy company domain that returned Azure AD error strings in its parameters, indicating it served as a waypoint in the OAuth flow.
Most email gateways scan URLs in the outer message body but treat .eml attachments as opaque files. The OAuth URL lived inside the nested message, outside the primary scanning scope. Even gateways that recursively inspect .eml content may not flag a login.microsoftonline.com URL because the domain itself is legitimate. The credential harvesting happens through a legitimate Microsoft endpoint, not an attacker-hosted page.
IRONSCALES flagged the message based on behavioral signals: first-time sender, three-domain identity mismatch, nested .eml with an authorize URL, and the subject-body content inconsistency.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Domain | hungarofood[.]hu | Amazon SES-backed Hungarian food distributor domain |
| Reply-To Domain | turchco[.]com | Response diversion domain |
| Nested Sender | Account@account[.]com | Generic identity inside .eml attachment |
| OAuth Client ID | e0480c25-5026-4692-bcfe-ca3d98fb25fe | Unregistered third-party application |
| Redirect Domain | guzeldagenerji[.]com[.]tr | OAuth flow waypoint |
| Sending IP | 54[.]240[.]8[.]42 | Amazon SES origin |
| Attachment Hash (SHA-256) | 54093804eb7204c4c87ebd312f347811110526414571f669578023f630bbe499 | Nested .eml file |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | Nested .eml file delivers OAuth authorize URL |
| Steal Application Access Token | T1528 | OAuth flow with prompt=none targets silent token issuance |
| Use Alternate Authentication Material: Application Access Token | T1550.001 | Stolen OAuth token provides persistent access without password |
| Attack | What happened |
|---|---|
| The OAuth Authorize URL That Didn't Ask for Permission | An OAuth consent phishing campaign used Amazon SES for clean authentication, embedded the attack in both the email body and a nested .eml attachment. |
| When Your Security Vendor's OAuth Endpoint Is the Phishing Link | Attackers used Mimecast's real OAuth2 authorization endpoint as the phishing CTA. |
| The DocuSign Template That Shipped With Its Variables Still Showing | A DocuSign impersonation attack sent through SendGrid contained unpopulated template tokens ({Frmsite}), grammar errors. |
| The Webinar Invite That Came With an Apple Wallet Pass and a Three-Hop Redirect Chain | A Google Calendar invite for a fake AI webinar passed full authentication and carried an .ics file, an Apple Wallet .pkpass. |
| The Bank Statement You Had to Unlock With Your Birthday: PII-Gated PDF Evasion From Authenticated Infrastructure | A fully authenticated email from banking infrastructure delivered a password-protected PDF that required the recipient's mobile number and date of birth... |