403
Sorry!!
Error! We're sorry, but the page you were looking for doesn't exist.
Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing
(MENAFN- BPG Group) Dubai, United Arab Emirates, 31 July 2025: Proofpoint has identified a cluster of activity using Microsoft OAuth application creation and redirects that lead to malicious URLs enabling credential phishing. The fake Microsoft 365 applications impersonate various companies including RingCentral, SharePoint, Adobe, and DocuSign. Proofpoint first observed this activity in early 2025 and remains ongoing. These attacks are part of a growing trend where cybercriminals use trusted digital platforms to carry out highly targeted phishing schemes that look legitimate to unsuspecting users.
The goal of the campaigns is to use OAuth applications as a gateway lure to conduct other activities, mostly to obtain access to Microsoft 365 accounts via MFA phishing. The phishing campaigns leverage multifactor authentication (MFA) attacker-in-the-middle (AiTM) phishing kits, predominately Tycoon. Such activity could be used for information gathering, lateral movement, follow-on malware installation, or to conduct additional phishing campaigns from compromised accounts. Even organizations that enforce multifactor authentication can be vulnerable, as AiTM kits can intercept login credentials and security tokens in real time.
Proofpoint has observed this technique in email campaigns with over 50 impersonated applications, and multiple different phishing kits using this attack chain including Tycoon and ODx. Proofpoint threat researchers have seen a smaller number of observed applications and follow-on activity in cloud threat data. Proofpoint reported the observed apps to Microsoft.
In June 2025, Microsoft announced it is updating default settings in Microsoft 365 by “blocking legacy authentication protocols and requiring admin consent for third-party app access. Changes start mid-July 2025 and complete by August 2025.”This update will have a positive impact on the landscape overall and will hamstring threat actors that use this technique.
Campaign Details
In observed email campaigns, messages are often sent from compromised email accounts and include subjects related to request for quotes or business contract agreements. The campaigns typically include thousands of messages and impact hundreds of customers.
ILSMart Impersonation
In a campaign observed in March 2025, the compromised sender belonged to a small, U.S-based aviation firm with a request for quote (RFQ) lure theme impersonating ILSMart, an inventory locating service for aerospace and defense companies.
The messages contained a URL that led to a Microsoft OAuth page for an application named “iLSMART”. The application requested the following access:
• View your basic profile
• Maintain access to data you have given it access to
If the target accepted the permissions, it granted those limited rights on the target’s account to the attacker. The applications’ permissions would provide limited use to an attacker, but it is used for setting up the next stage of the attack.
This fake Microsoft page presented the user's organization Entra ID branding and was designed to harvest credentials, and intercept 2FA approved token associated with the session cookie. This was achieved through the AiTM technique, using synchronous relay capabilities provided by the Tycoon Phishing-as-a-Service (PhaaS) platform. This form of deception makes the fake login page appear nearly identical to an organization’s official sign-in page, further lowering suspicion.
Scope and Spread
These applications were authorized by more than two dozen users in more than 20 different tenants. However, evidence of actual account takeovers (ATOs) was found only in five cases. This suggests that:
• These malicious apps acted primarily as phishing lures.
With narrow scopes, the applications alone could not compromise accounts unless users submitted credentials on the phishing page.
Conclusion
Threat actors are creating increasingly innovative attack chains in an attempt to bypass detections and obtain access to organizations globally. Proofpoint anticipates threat actors will increasingly target users’ identity, with AiTM credential phishing becoming the criminal industry standard.
The goal of the campaigns is to use OAuth applications as a gateway lure to conduct other activities, mostly to obtain access to Microsoft 365 accounts via MFA phishing. The phishing campaigns leverage multifactor authentication (MFA) attacker-in-the-middle (AiTM) phishing kits, predominately Tycoon. Such activity could be used for information gathering, lateral movement, follow-on malware installation, or to conduct additional phishing campaigns from compromised accounts. Even organizations that enforce multifactor authentication can be vulnerable, as AiTM kits can intercept login credentials and security tokens in real time.
Proofpoint has observed this technique in email campaigns with over 50 impersonated applications, and multiple different phishing kits using this attack chain including Tycoon and ODx. Proofpoint threat researchers have seen a smaller number of observed applications and follow-on activity in cloud threat data. Proofpoint reported the observed apps to Microsoft.
In June 2025, Microsoft announced it is updating default settings in Microsoft 365 by “blocking legacy authentication protocols and requiring admin consent for third-party app access. Changes start mid-July 2025 and complete by August 2025.”This update will have a positive impact on the landscape overall and will hamstring threat actors that use this technique.
Campaign Details
In observed email campaigns, messages are often sent from compromised email accounts and include subjects related to request for quotes or business contract agreements. The campaigns typically include thousands of messages and impact hundreds of customers.
ILSMart Impersonation
In a campaign observed in March 2025, the compromised sender belonged to a small, U.S-based aviation firm with a request for quote (RFQ) lure theme impersonating ILSMart, an inventory locating service for aerospace and defense companies.
The messages contained a URL that led to a Microsoft OAuth page for an application named “iLSMART”. The application requested the following access:
• View your basic profile
• Maintain access to data you have given it access to
If the target accepted the permissions, it granted those limited rights on the target’s account to the attacker. The applications’ permissions would provide limited use to an attacker, but it is used for setting up the next stage of the attack.
This fake Microsoft page presented the user's organization Entra ID branding and was designed to harvest credentials, and intercept 2FA approved token associated with the session cookie. This was achieved through the AiTM technique, using synchronous relay capabilities provided by the Tycoon Phishing-as-a-Service (PhaaS) platform. This form of deception makes the fake login page appear nearly identical to an organization’s official sign-in page, further lowering suspicion.
Scope and Spread
These applications were authorized by more than two dozen users in more than 20 different tenants. However, evidence of actual account takeovers (ATOs) was found only in five cases. This suggests that:
• These malicious apps acted primarily as phishing lures.
With narrow scopes, the applications alone could not compromise accounts unless users submitted credentials on the phishing page.
Conclusion
Threat actors are creating increasingly innovative attack chains in an attempt to bypass detections and obtain access to organizations globally. Proofpoint anticipates threat actors will increasingly target users’ identity, with AiTM credential phishing becoming the criminal industry standard.
Legal Disclaimer:
MENAFN provides the
information “as is” without warranty of any kind. We do not accept
any responsibility or liability for the accuracy, content, images,
videos, licenses, completeness, legality, or reliability of the information
contained in this article. If you have any complaints or copyright
issues related to this article, kindly contact the provider above.
Most popular stories
Market Research
More Story
Comments
No comment