Threat Actors Impersonate Microsoft OAuth Apps to Steal Login Credentials

Threat actors are leveraging sophisticated phishing campaigns by creating fake Microsoft OAuth applications to impersonate legitimate enterprises, enabling credential theft while bypassing multifactor authentication (MFA).

Proofpoint researchers have tracked this activity since early 2025, identifying over 50 impersonated applications, including those mimicking RingCentral, SharePoint, Adobe, and DocuSign.

These malicious OAuth apps serve as initial lures, redirecting users to attacker-in-the-middle (AiTM) phishing kits like Tycoon and ODx, which capture credentials and session cookies in real time.

The campaigns exploit OAuth consent flows, requesting benign scopes such as viewing basic profiles or maintaining data access, but regardless of user consent, victims are funneled to counterfeit Microsoft login pages branded with their organization’s Entra ID details.

This AiTM approach proxies authentication requests, intercepting MFA tokens and enabling account takeovers (ATOs) for purposes like information gathering, lateral movement, or further phishing from compromised accounts.

Campaign Overview and Techniques

Proofpoint has reported these apps to Microsoft, and upcoming changes in Microsoft 365 such as blocking legacy authentication and requiring admin consent for third-party apps starting mid-July 2025 are expected to disrupt this tactic significantly.

Emails in these campaigns often originate from compromised accounts, using lures themed around requests for quotes or business contracts, targeting thousands of messages across hundreds of organizations.

Customization occurs based on industry, with impersonations tailored to specific software, amplifying relevance and success rates.

In cloud tenant data, Proofpoint observed over two dozen similar malicious apps, primarily requesting scopes like openid, email, and profile, with reply URLs leading to phishing infrastructure.

While most apps acted as lures without direct compromise capabilities, ATOs were confirmed in only five cases, indicating a low but targeted success rate exceeding 50% in broader Tycoon-linked operations affecting nearly 3,000 accounts across 900 environments in 2025.

Infrastructure Insights

A March 2025 campaign targeted a U.S.-based aviation firm, impersonating ILSMart an aerospace inventory service with OAuth app “iLSMART” requesting basic profile access and data maintenance permissions.

Redirects led to CAPTCHA challenges and Tycoon-powered fake Microsoft pages that harvested credentials and MFA tokens via synchronous relays.

Configuration details included reply URLs like azureapplicationregistration[.]pages[.]dev/redirectapp and scopes focused on user profile visibility.

Similarly, a June 2025 Adobe impersonation used SendGrid-delivered emails redirecting through intermediate URLs to an OAuth “Redirector App,” ultimately landing on Tycoon phishing pages with parameters like client_id 854189f9-4c71-44bb-9880-dd0c2f75922a and scopes including openid+email+profile.

Cloud impacts revealed clusters like a fake “Adobe” app affecting four users via reply URL workspacesteamworkspace[.]myclickfunnels[.]com/offices–af295, with Axios user agents (e.g., axios/1.7.9) signaling Tycoon involvement.

Another incident with “OneDrive-2025” used cleansbeauty[.]com/lost/apc.html, followed by MFA manipulations like adding security methods for persistence.

Tycoon, a phishing-as-a-service platform, employs Axios HTTP clients for exploitation, shifting infrastructure in April 2025 from Russian proxies to U.S.-based data center hosting to evade detection.

Proofpoint notes this as part of a broader trend toward identity-targeted AiTM attacks, recommending defenses like email security for BEC prevention, cloud monitoring for ATO detection, web isolation, user awareness, and FIDO keys.

Indicators of Compromise

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!