The first quarter of 2025 brought a wave of quietly powerful TTPs. Some slid in under the radar, others showed up in clusters, and a few evolved right under our noses. While lots of these are brand new, they certainly left their mark on the few months of this year. This roundup isn’t about headline-grabbing zero-days or buzzy chatter; it’s about the techniques that kept showing up across IR reports, adversary emulations, and Slack channels full of “has anyone else seen this?”

Whether you missed them the first time or want to revisit what’s still hot, these are some of the behaviors we think are still burning and worth your attention.

OAuth Consent Grant Abuse 🔐

Tactics:
Initial Access, Persistence, Defense Evasion, Credential Access

Techniques:

• T1566.002 – Phishing: Spearphishing Link
  Targeted emails deliver OAuth consent phishing links impersonating trusted apps or services.

• T1204.001 – User Execution: Malicious Link
  Users click a legitimate-looking OAuth consent prompt that leads to unauthorized app permissions.

• T1098.001 – Account Manipulation: Additional Cloud Credentials
  Malicious OAuth grants serve as alternate credentials that persist until explicitly revoked.

• T1550.001 – Use Alternate Authentication Material: Web Session Cookie
  OAuth access and refresh tokens allow continuous access without triggering login or MFA events.

• T1078.004 – Valid Accounts: Cloud Accounts
  The attacker gains persistent access through abuse of granted tokens linked to legitimate cloud accounts.
  

What You Should Be Looking For:

• Azure AD/Entra ID audit log events showing Consent to application activity
  

• OAuth apps requesting sensitive delegated scopes such as:

  • Mail.ReadWrite, Files.Read.All, Mail.Send, offline_access, Directory.ReadWrite.All, User.ReadWrite.All
    

• Consent granted to apps with no verified publisher, recently registered, or using generic/trustworthy-sounding names (“Secure Mail Gateway” anyone?)
  

• Multiple users consenting to the same suspicious app, especially if the app was newly registered and isn’t in corporate app catalogs
  

• Consent activity occurring:

  • Outside normal business hours

  • From new device IDs or unusual geographic locations
    

• Persistent Graph API or mailbox access from the app without corresponding user login sessions (token-based activity)
  

• Use of OAuth tokens after password resets or user sign-outs, indicating long-lived token abuse
  

• Redirect URIs associated with the app registration that:

  • Use typosquatted domains

  • Point to non-corporate or low-reputation third-party sites
    

• Suspicious combinations of delegated scopes, such as:

  • Mail.ReadWrite + User.ReadWrite.All

  • Files.Read.All + Directory.ReadWrite.All
    

• Consent granted from privileged accounts (Global Admin, App Admin) without corresponding change requests or IT tickets
  

• New OAuth apps or service principals registered by non-admin accounts, especially if followed immediately by user consent
  

• App privilege escalation post-consent, such as modifying its own redirect URIs or requesting additional scopes

  • See: hidden consent grant behavior

Data sources:

• Azure AD Sign-In and Audit Logs

• Unified Audit Log (Microsoft 365)

• Cloud App Security / Defender for Cloud Apps (MCAS)

• OAuth token telemetry from identity providers (Azure, Google, Okta)

• Microsoft Graph API activity monitoring

• Email security telemetry
  

Resources:

• Microsoft: Detect and Remediate Illicit Consent Grants

• Microsoft IR Playbook: App Consent

• Datadog: Malicious OAuth Application Consent

• AppOmni: OAuth Grants & Phishing – A Deadly Combo

• Kelvin Ngware (LinkedIn): What is OAuth Consent Phishing - (This isn’t a super new TTP, just on the rise, thank you Kelvin!)

• Microsoft Security Blog (May 2025): Defending Against Evolving Identity Attack Techniques

Malicious Package Ecosystem Abuse 📦

Tactics:
Initial Access, Execution, Persistence, Credential Access, Exfiltration, Defense Evasion, Impact

Techniques:

• T1589.001 – Package Manager: Typosquatting/Name Squatting
  Attackers upload malicious packages with names nearly identical to trusted libraries (e.g., fabrice vs fabric, react-xterm2 vs react-xterm) to trick developers into accidental installation.

• T1121 – Exploitation for Client Execution: Post-/Pre-install Scripts
  Malicious code is embedded in install-time scripts (setup.py, preinstall, postinstall) that execute immediately upon installation to download payloads or exfiltrate data.

• T1059.004 – Command and Scripting Interpreter: Bash
  Scripts invoke shell commands to fetch external payloads, open reverse shells, or run embedded logic via curl, wget, or PowerShell.

• T1555 – Credentials from Web Browsers / Cloud Files
  Malicious packages steal local credentials by reading .aws/credentials, .npmrc, .gitconfig, browser cookies, or environment variables.

• T1041 – Exfiltration Over C2 Channel
  Exfiltrated data is sent to attacker infrastructure using Discord webhooks, Telegram bots, or HTTPS POSTs to low-reputation domains.

• T1490 – Impact: File Deletion / Destructive Behavior
  Some packages execute destructive behavior like deleting local project files or resetting repositories on install.

What You Should Be Looking For:

• Post-install activity from developer or build systems:

  • Suspicious process trees triggered by npm install or pip install:

    • node → bash → curl

    • python → os.system → shell command

    • Execution of base64-decoded scripts from installer context
      

• Outbound network traffic during or shortly after dependency install:

  • Unusual outbound connections from developer endpoints to:

    • Discord or Telegram webhooks

    • Recently registered domains or IPs

    • Rare or low-reputation TLDs (.tk, .ml, .gq)
      

• Credential or secrets access from install-triggered processes:

  • File reads to sensitive paths from shell or non-standard binaries:

    • ~/.aws/credentials

    • .npmrc, .pypirc, .gitconfig

    • Browser cookie or localStorage directories
      

• Unexpected file destruction or workspace modifications:

  • Deletion of .git directories, project folders, or dev environments immediately following dependency install
    

• Runtime compilation or binary generation after install:

  • Invocation of gcc, clang, or scripting engines from package manager processes

  • Creation of ELF, PE, or Mach-O binaries in temporary or workspace directories
    

• Repeated C2 or behavior across developer machines:

  • Same rare domain, webhook, or IP contacted by multiple dev endpoints

  • Consistent process + hash + network signature post-install
    

• Crypto-related tooling abuse signals:

  • Calls to blockchain APIs or presence of crypto-wallet paths from endpoints with no prior crypto context

  • Execution of Web3 libraries or seed phrase logging logic outside expected use cases

Data sources:

• EDR process telemetry

• DNS logs

• Proxy/firewall logs

• File access telemetry

• Command-line auditing (e.g., Sysmon, Auditd)

• Process creation logs (Sysmon, auditd, etc.)

Resources:

• The Hacker News – Malicious Python Packages on PyPI (April 2025)

• Source Code Red – Malicious Arcus NPM Package

• Socket.dev – Mid-Year Threat Report: Malicious Open Source Packages (2025)

• Datadog Security Labs – Q1 2025 Threat Roundup: Name Squatting

• Datadog GuardDog (PyPI analyzer)

• Amalfi & MeMPtec – Academic ML Tools for Package Detection

SimpleHelp RMM Abuse 🖥️

Tactics:
Initial Access, Execution, Lateral Movement, Persistence, Defense Evasion, Impact

Techniques:

• T1219 – Remote Access Software
  Attackers exploit known CVEs in SimpleHelp to gain remote control over endpoints, bypassing normal authentication.

• T1059 – Command and Scripting Interpreter
  Adversaries run PowerShell or CMD commands via the RMM console to disable AV, install services, or launch ransomware.

• T1078 – Valid Accounts
  Malicious or new admin-level accounts are created during or after RMM sessions to maintain persistent access.

• T1562.001 – Impair Defenses
  Remote execution is used to disable or alter AV/EDR settings, often adding exclusions or modifying policies.

• T1486 – Data Encrypted for Impact
  Ransomware variants like DragonForce and Medusa have been deployed following RMM access via SimpleHelp.

What You Should Be Looking For:

• SimpleHelp process behavior:

  • simplehelp.exe spawning child processes (powershell.exe, cmd.exe, certutil.exe)

  • Hosting of SimpleHelp services or binaries on unexpected endpoints

  • Presence of simplehelp.exe on workstations where it's not formally deployed
    

• Abnormal SimpleHelp session indicators:

  • Logins from new geolocations, especially outside business hours

  • Mass execution or off hours execution of commands/scripts across multiple endpoints

  • Scripted uploads or downloads within SimpleHelp session logs

  • Rapid-fire or clustered commands via RMM interface
    

• Artifacts dropped during RMM use:

  • Files in C:\ProgramData\SimpleHelp\ or %TEMP%, especially with .exe, .zip, or script extensions

  • Created or modified Windows services named SimpleHelp, shservice, or obfuscated variants
    

• Post-RMM session execution events:

  • Event ID 4688 showing PowerShell commands: Set-MpPreference, Invoke-RestMethod, curl, certutil

  • Event ID 4104 logging script blocks containing obfuscated or base64 content launched by SimpleHelp
    

• Account changes and privilege escalation:

  • Event ID 4720 (new user creation) and/or Event ID 4732 (group membership changes) soon after an RMM session

  • Event ID 4648 reflecting credential logon from simplehelp.exe context or new accounts

• Defense tampering:

  • Event ID 4663/4670 logs showing AV or policy file changes

  • Automated commands such as Add-MpPreference –ExclusionPath executed via RMM
    

• Ransomware or destructive behavior:

  • Creation of ransom note files, and .locked / .encrypted extensions post-RMM

  • Shadow copy deletion (vssadmin delete shadows) and backup file erasure

  • File access or mass renaming captured by File Integrity Monitoring after the session
    

Data Sources:

• SimpleHelp application logs (.exe or service presence; remote session trails)

• Windows Security Event Logs (4624, 4688, 4720, 4732, 4104, 4663, 4670)

• PowerShell script block logging and command-line telemetry

• EDR telemetry

• File system monitoring alerts (mass deletes/encryption)

• Network and proxy logs

Resources:

• Rapid7 Q1 2025 Incident Response Findings

• CyberProof: Risks tied to SimpleHelp Remote Monitoring & Management Exploitation

• Horizon3.ai: Critical Vulnerabilities in SimpleHelp Remote Support Software

• The Hacker News: Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware

• Arctic Wolf Blog: Arctic Wolf Observes Campaign Exploiting SimpleHelp RMM Software for Initial Access

• MSSP Alert: DragonForce Ransomware Group Exploits MSP’s RMM Software in Attacks

• Field Effect: Not-so-SimpleHelp exploits enabling deployment of Sliver backdoor

• Jai Bhattachhary: SimpleHelp: CVE-2024–57727 : TryHackMe - Shoutout to Jai for this awesome writeup on the Premium TryHackMe lab for the SimpleHelp exploit!

Conclusion

These are a few of the TTPs we thought were worth taking a look for in your environment, what are some of the things you have seen so far this year you think other threat hunters should know about? Drop us a comment and we may feature your idea in the next From the Fire!

Leave a comment