Two phishing campaigns have been targeting Microsoft 365 users, exploiting OAuth redirection vulnerabilities. These attacks use brand impersonation techniques, relying on familiar names like Adobe and DocuSign to trick users into granting access to malicious OAuth applications. Researchers from Proofpoint identified several fraudulent apps, including “Adobe Drive,” “Adobe Acrobat,” and “DocuSign,” which redirect users to credential harvesting and malware delivery sites. By manipulating OAuth flows, attackers are able to bypass traditional security measures like domain reputation and anti-spoofing strategies.
The phishing attacks leverage vulnerabilities in how OAuth 2.0 authorization flows work, redirecting users from legitimate Microsoft URLs to attacker-controlled sites. The vulnerability allows attackers to modify parameters in the authorization flow to trigger the redirection. These phishing attempts are particularly dangerous because they traverse through Microsoft’s legitimate servers, avoiding detection by standard email security protocols.
The malicious apps request only minimal permissions, such as access to profile information and email, to remain undetected while executing their attack.
These attacks primarily target high-value employees with access to sensitive data, such as executives, account managers, and finance personnel. Successful exploitation allows attackers to gain persistent access to emails, files, and Microsoft Teams chats. This is a growing trend of attackers exploiting cloud services’ built-in trust mechanisms.
As the phishing messages appear legitimate within the Microsoft ecosystem, they can bypass traditional security measures, putting organizations at high risk.
To defend against these attacks, security experts recommend implementing phishing-resistant authentication methods, such as FIDO2 security keys, and enforcing strict conditional access policies. Disabling legacy authentication protocols and adding multi-factor authentication (MFA) number matching can prevent attackers from bypassing MFA. Additionally, organizations should monitor Azure AD logs and implement alerts for suspicious OAuth app consent requests. Regular training on OAuth consent phishing tactics can also help reduce risk.
