Identity, Phishing, IAM Technologies

Microsoft MFA phishing scheme leverages OAuth apps

(Credit: Selman – stock.adobe.com)

(Credit: Selman – stock.adobe.com)

A recent phishing campaign targeting Microsoft 365 logins leverages Microsoft OAuth apps for social engineering.

The attacks begin with emails impersonating legitimate brands, with more than 50 spoofed brands identified, Proofpoint reported Thursday. The emails include links to Microsoft OAuth landing pages where apps, controlled by the attacker, request minimal access to the target’s Microsoft account.

The misuse of Microsoft OAuth in this campaign means the links in the emails come from a legitimate Microsoft domain, making it less likely they will be flagged by security tools. Additionally, users may be less likely to become suspicious due to the trusted OAuth process and benign permissions requested by the app.

However, whether or not the user approves the permissions, they are redirected from the OAuth page to an attacker-controlled site that displays a CAPTCHA and then a fake Microsoft login page.

The attacker leverages phishing kits including Tycoon to enable multifactor authentication (MFA) phishing via an adversary-in-the-middle (AiTM) technique. If the target enters their credentials and completes the MFA process, the MFA token is automatically relayed to the attacker, enabling them to log in.

Proofpoint provided examples of phishing emails impersonating Adobe and an aerospace and defense industry inventory locating service called ILSMart. The latter phishing lure appeared to be specifically targeted as the recipient was a small, U.S.-based aviation firm.

More than two dozen users across 20 different cloud tenants authorized attacker applications involved in this campaign in early 2025, Proofpoint said based on its visibility into its cloud tenant infrastructure. However, actual account takeovers only occurred in five cases.

Proofpoint recommends robust email and cloud security measures to help detect, remediate and investigate such attacks, as well as security awareness for Microsoft 365 users and potential adoption of phishing-resistant FIDO-based MFA adoption.

The company also noted that Microsoft will be updating Microsoft 365 default settings by August 2025, “blocking legacy authentication protocols and requiring admin consent for third-party app access,” which may help curb attacks against Microsoft 365 accounts.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Access Control ServiceAuthenticationAuthorizationBiometricsDigest AuthenticationDiscretionary Access Control (DAC)Extensible Authentication Protocol (EAP)KerberosMutual AuthenticationOpenID

You can skip this ad in 5 seconds