Threat Actors Impersonating Microsoft OAuth Applications to Steal Login Credentials

A sophisticated phishing campaign exploiting Microsoft OAuth applications has emerged as a significant threat to enterprise security, with cybercriminals successfully bypassing multifactor authentication systems to steal user credentials.

The campaign, which began in early 2025 and remains ongoing, leverages fake Microsoft 365 applications that impersonate legitimate enterprise services including RingCentral, SharePoint, Adobe, and DocuSign to lure unsuspecting victims.

The attack represents a concerning evolution in credential theft techniques, combining traditional phishing methods with OAuth application abuse to create a highly effective attack vector.

Threat actors have created over 50 impersonated applications, targeting thousands of users across hundreds of organizations worldwide.

The campaign’s primary objective is to obtain unauthorized access to Microsoft 365 accounts through attacker-in-the-middle (AiTM) phishing techniques, predominantly using the Tycoon Phishing-as-a-Service platform.

Proofpoint researchers identified this cluster of malicious activity through their threat intelligence monitoring, noting that the campaigns typically impact hundreds of customers with thousands of messages per wave.

The researchers observed that while most campaigns impersonate generic enterprise applications, some attackers customize their lures based on specific software used in targeted industries, demonstrating a sophisticated understanding of their victims’ operational environments.

The financial and operational impact has been substantial, with researchers documenting attempted account compromises affecting nearly 3,000 user accounts across more than 900 Microsoft 365 environments.

Perhaps most concerning is the campaign’s confirmed success rate exceeding 50%, highlighting the effectiveness of this hybrid attack methodology that combines email-based social engineering with cloud application abuse.

Technical Attack Mechanism and Infrastructure Analysis

The attack chain begins with emails sent from compromised accounts containing subjects related to business contracts or request-for-quote scenarios.

These messages include URLs that redirect victims to legitimate Microsoft OAuth authorization pages for maliciously crafted applications.

The applications request minimal permissions, typically “View your basic profile” and “Maintain access to data you have given it access to,” making them appear benign to users.

The malicious OAuth applications employ a clever psychological manipulation: regardless of whether users click “Accept” or “Cancel” on the permission prompt, they are redirected through the same attack flow.

This eliminates user choice as a defense mechanism and ensures consistent payload delivery.

The technical configuration reveals the sophisticated nature of these applications:-

{
  "sAppName": "iLSMART",
  "sAppWebsite": "chrnobinson[.]com",
  "arrAppReplyUrls": ["https[:]//azureapplicationregistration[.]pages[.]dev/redirectapp"],
  "sAppCreatedDate": "3/17/2025",
  "arrScopes": [
    {
      "label": "View your basic profile",
      "description": "Allows the app to see your basic profile"
    }
  ]
}

After the OAuth interaction, victims encounter a CAPTCHA page that leads to counterfeit Microsoft authentication pages featuring their organization’s Entra ID branding.

These pages utilize the Tycoon PhaaS platform’s synchronous relay capabilities to harvest credentials and intercept two-factor authentication tokens.

Researchers identified the campaign’s infrastructure through specific user agent strings, particularly “axios/1.7.9” and “axios/1.8.2,” which are characteristic of Tycoon toolkit operations, providing crucial indicators for detection and attribution efforts.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches