Cybersecurity firm Proofpoint has reported on a new and ongoing attack cluster, first observed in early 2025, where threat actors are leveraging counterfeit Microsoft OAuth applications. These malicious applications are designed to impersonate well-known enterprises such as RingCentral, SharePoint, Adobe, and DocuSign to appear legitimate. The primary objective of this campaign is to perform account takeovers by harvesting user credentials from Microsoft 365 accounts. The attack relies on sophisticated phishing kits like Tycoon and ODx, which are specifically engineered to defeat security measures like multi-factor authentication (MFA).
The attack chain begins with a carefully crafted phishing email, often sent from a previously compromised account to enhance its credibility. These emails use business-oriented pretexts, such as requests for quotes (RFQs) or contract agreements, to entice the recipient into clicking a malicious URL. Upon clicking the link, the victim is directed not to a fake login page, but to a legitimate Microsoft OAuth consent screen for a fraudulent application, such as one named “iLSMART,” which impersonates a real-world aviation marketplace. This step is designed to lower the user’s guard by leveraging Microsoft’s own trusted domain.
A notable aspect of this attack is its persistence and layered deception.
After the user interacts with the OAuth consent prompt—regardless of whether they accept or deny the requested permissions—they are funneled through a CAPTCHA verification page. Once complete, they are finally redirected to a fake Microsoft authentication page. This page is powered by an Adversary-in-the-Middle (AitM) framework from a Phishing-as-a-Service (PhaaS) platform known as Tycoon. This AitM setup acts as a proxy, intercepting the communication between the user and the real Microsoft service to capture not only their username and password but also the session cookies and MFA codes needed to bypass security.
The scale of this operation is significant, with Proofpoint observing over 50 different impersonated applications used in these campaigns. The underlying Tycoon toolkit is responsible for a substantial volume of attacks, with attempted compromises affecting nearly 3,000 user accounts across more than 900 separate Microsoft 365 environments in 2025 alone. In response to this and similar threats, Microsoft has announced plans to implement security updates by August 2025. These changes will block legacy authentication protocols and require administrator consent for third-party app access, a move that is expected to significantly disrupt this type of attack vector.
This OAuth-based attack is part of a broader landscape of evolving threats targeting corporate users. The provided research also highlights other concurrent campaigns, such as spear-phishing emails deploying keyloggers and spam operations that embed links to Remote Monitoring and Management (RMM) software within PDF documents. These RMM tools, often disguised as necessary programs to view invoices or contracts, provide attackers with an initial foothold into a network, which is a favored tactic for ransomware operators and other malicious actors seeking to escalate their privileges and execute further attacks.
Reference:
