The threat actors create malicious OAuth apps and distribute crafted OAuth URLs via email that may evade email defenses due to the use of legitimate domains such as login.microsoftonline.com and accounts.google.com. Email lures include fake e-sign documents, Social Security notices, Teams meeting recordings, password reset prompts and employee review documents.