{"id":4214,"date":"2025-08-01T11:17:49","date_gmt":"2025-08-01T11:17:49","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4214"},"modified":"2025-08-01T11:17:49","modified_gmt":"2025-08-01T11:17:49","slug":"cybercrooks-faked-microsoft-oauth-apps-for-mfa-phishing","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4214","title":{"rendered":"Cybercrooks faked Microsoft OAuth apps for MFA phishing"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Threat actors have cooked up a clever way to slip past multifactor authentication (MFA), tricking users into approving fake app access requests that impersonate trusted brands.<\/p>\n<p>According to Proofpoint findings, attackers are crafting fake Microsoft OAuth apps that mimic trusted brands, like SharePoint and DocuSign, to dupe users and swipe their credentials.<\/p>\n<p>\u201cProofpoint has identified a cluster of activity using Microsoft OAuth application creation and redirects that lead to malicious URLs enabling credential phishing,\u201d Proofpoint researchers said in a blog post. \u201cThe goal of the campaign is to use OAuth applications as a gateway lure to conduct other activities, mostly to obtain access to Microsoft 365 accounts via MFA phishing.\u201d<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3833826\/how-to-configure-oauth-in-microsoft-365-defender-and-keep-your-cloud-secure.html\">Microsoft OAuth<\/a> apps are applications that use Microsoft\u2019s identity platform (Azure AD\/ Entra ID) to request permission to access data in services like Microsoft 365, OneDrive, Outlook, Teams, or SharePoint on behalf of a user.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>OAuth impersonation for MFA bypass<\/h2>\n<p>According to <a href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/microsoft-oauth-app-impersonation-campaign-leads-mfa-phishing\" target=\"_blank\" rel=\"noopener\">Proofpoint<\/a>, the impersonated apps used convincing names, logos, and permission prompts to trick users into approving access, without raising alarms.<\/p>\n<p>Once a victim clicked \u2018accept\u2019, they were redirected through CAPTCHA to a spoofed Microsoft login page. The CAPTCHA step served as an anti-bot measure, preventing automated scanners from flagging the attack. Behind the scenes, phishing kits like Tycoon or ODx captured both login credentials and session tokens, allowing attackers to bypass MFA and gain persistent access to Microsoft 365 accounts.<\/p>\n<p>\u201cThe phishing campaigns leverage multi-factor authentication (MFA) attacker-in-the-middle (AiTM) phishing kits like Tycoon,\u201d researchers added. \u201cSuch activity could be used for information gathering, lateral movement, follow-on malware installations, or to conduct additional phishing campaigns from compromised accounts.\u201d<\/p>\n<p>This method is particularly dangerous because OAuth tokens <a href=\"https:\/\/www.proofpoint.com\/us\/blog\/cloud-security\/oauth-abuse-think-solarwindssolorigate-campaign-focus-cloud-applications\" target=\"_blank\" rel=\"noopener\">can survive<\/a> password resets. Even if a compromised user changes their password, attackers can still use the granted permissions to access email, files, and other cloud services until the OAuth token is revoked.<\/p>\n<p>Proofpoint said the campaign abused over 50 trusted brands, including companies like RingCentral, SharePoint, Adobe, and DocuSign.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Microsoft moves to curb the threat<\/h2>\n<p>Thousands of malicious messages have been sent from compromised business accounts, as part of the campaign, each impersonating well-known companies. Some lures asked for benign-looking permissions such as \u201cview your profile\u201d and \u201cmaintain access to data you have given it access to\u201d.<\/p>\n<p>Proofpoint said it reported the observed apps to Microsoft in early 2025 and noted that the software giant\u2019s upcoming Microsoft 365 default-setting changes, announced in June 2025, are expected to significantly limit attackers\u2019 ability to abuse third-party app access. The updates began rolling out in mid-July and are expected to be completed by August 2025.<\/p>\n<p>Microsoft did not immediately respond to CSO\u2019s request for comments.<\/p>\n<p>Proofpoint recommends implementing effective BEC-prevention measures, blocking unauthorized access in cloud environments, and isolating potentially malicious links in emails to stay ahead of the campaign. Additionally, educating users on Microsoft 365 security risks and strengthening authentication with <a href=\"https:\/\/www.csoonline.com\/article\/4025710\/poisonseed-outsmarts-fido-keys-without-touching-them.html\">FIDO-based<\/a> physical security keys might help. Malicious Microsoft OAuth application IDs and Tycoon fingerprints observed in the campaign were also shared to set detection for.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Threat actors have cooked up a clever way to slip past multifactor authentication (MFA), tricking users into approving fake app access requests that impersonate trusted brands. According to Proofpoint findings, attackers are crafting fake Microsoft OAuth apps that mimic trusted brands, like SharePoint and DocuSign, to dupe users and swipe their credentials. \u201cProofpoint has identified [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":4215,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4214","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4214"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4214"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4214\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4215"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4214"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}