Build for free
How Nylas handles OAuth phishing and platform abuse 

How Nylas handles OAuth phishing and platform abuse 

4 min read
Jump to section
Author: Sam Cowan
Sam Cowan
Tags:
Featured articles
Agentic AI
The State of Agentic AI in 2026: What teams are actually shipping
6 min read
Read more
Nylas Transactional Send public beta launch
4 min read
Read more
Notetaker API
Introducing Summaries and Action Items for the Notetaker API
3 min read
Read more
Jump to section

Security is not a feature. It’s a priority — and one we take seriously every day.

This post is a straightforward account of how we think about phishing abuse on our platform and what we’re building to reduce the risk that our infrastructure is used as a vector for harm.

What happened

We identified a pattern of abuse in which bad actors were using our test sandboxes to trick users into granting OAuth access to accounts they didn’t intend to share. When we had sufficient understanding of the scope of the issue, we moved quickly.

Within hours of detection, our team identified the offending applications and grants, traced them to the malicious domains in question, and executed targeted operations to remove them from our systems. We coordinated across teams in real time to remove the applications and revoke the associated grants.

Our approach to platform abuse

Nylas is an email, calendar, and contacts API — which means we sit close to important and personal data — people’s inboxes. Security is foundational to how we build and operate. You can review our full security posture on our security page.

Our approach to phishing and platform abuse rests on a few principles:

Speed matters. When we identify active abuse, our first priority is containment. We’d rather act on strong evidence quickly than wait for a complete picture while damage is being done.

We go to the source. In this case, that meant going beyond obvious indicators — not just deleting surface-level artifacts, but tracing the abuse to its root and working to remove it cleanly.

We operate across regions. Our infrastructure spans across multiple cloud environments. Remediation isn’t as simple as running one query — it requires coordinated action across systems, which is why we’ve invested in processes that let our teams act in parallel.

We build for the next one. After every incident, we ask: what would have caught this earlier? In this case, that question is driving improvements to validation and monitoring.

What we’re doing going forward

We’re actively exploring on a set of improvements that include:

  • Stronger transparency of OAuth redirect for sandbox, with clearer messaging prior to the Google OAuth screen
  • Phishing reporting capabilities to share details with the Nylas Security Team when suspicious invitations are identified

This isn’t a complete list, and some of it is already in progress. Security work is never finished — it’s iterated.

What you can do

If you’re a developer building on Nylas:

  • Review your registered redirect URIs and confirm they point to domains you own and control.
  • Use the minimum OAuth scopes your application needs.
  • If anything looks suspicious, rotate your credentials and contact our support team.

If you’re an end user, here’s how to check which apps have access to your account and remove anything that looks unfamiliar:

Revoke access – Go to your Google Account’s third-party connections page at myaccount.google.com/connections. Under “Access to your Google Account,” review the list of apps and select any you don’t recognize. From there you can remove access entirely.

Check your Sent folder for emails you did not send. Look for unexpected emails in your inbox particularly starred or unread messages from unfamiliar senders that you do not recall receiving. Check your Trash and All Mail for deleted messages you did not delete.

Secure your account – Review active sessions at myaccount.google.com/device-activity and sign out any unrecognized sessions.

Change your Google password – Enable or verify that two-factor authentication is active on your account. If you use the same password elsewhere, change it on those services too.

Check for financial exposure – If you received a fake payment-related email and entered card details, contact your bank immediately to report potential fraud and request a card replacement. Monitor your bank and card statements for unauthorized transactions.

While these steps may not cover every scenario, they’re a good place to start.

If you see a Nylas app you don’t recognize or didn’t authorize, remove it immediately and email us at [email protected] — we’ll investigate.

A note on transparency

The instinct in security incidents is often to say as little as possible — to minimize alarm, to avoid giving bad actors a roadmap.

We landed on transparency, for a simple reason: developers and users who trust us with access to their data deserve to know how we handle problems when they arise. Not a sanitized press release, but a candid account of what happened and what we’re doing about it.

That’s the standard we’re holding ourselves to, and we believe it’s right for this situation.If you have questions, reach out to our security team at [email protected]. We’re listening.

You can also learn more about how Nylas approaches security at nylas.com/security

Related resources

Security
Building trust at the core: Nylas’ security & compliance program for communication APIs

At Nylas, trust isn’t something we talk about lightly. Our platform sits in the middle…

5 min read
Read more
Security
Detecting and preventing phishing abuse in email tracking links

Platforms that enable communication workflows, such as email APIs, link tracking, and email tracking, are…

3 min read
Read more
Implementing security by design at startups

Building security by design is crucial, especially for startups and small businesses, where resources are…

9 min read
Read more