In 2025, Proofpoint identified an ongoing phishing campaign abusing Microsoft OAuth applications to compromise Microsoft 365 accounts. Threat actors created malicious OAuth apps impersonating trusted services like Adobe, SharePoint, and DocuSign, using them as lures to redirect victims to attacker-in-the-middle (AiTM) phishing sites. These sites, powered by the Tycoon Phishing-as-a-Service platform, captured credentials and session cookies to bypass MFA.
Attackers sent emails, often from compromised accounts with RFQ-themed lures or document-sharing links. When users clicked links, they were prompted to authorize OAuth apps with seemingly benign scopes (e.g., profile, email). Regardless of whether the user accepted or declined, they were redirected to counterfeit Microsoft login pages that mirrored their organization’s Entra ID branding.
Proofpoint documented over 50 such apps and multiple phishing kits. Though hundreds of users interacted with the lures, confirmed account takeovers were limited to a few dozen cases. However, Tycoon’s success rate exceeds 50% in broader Microsoft 365 targeting campaigns. Notably, Axios user agents (e.g., axios/1.7.9, axios/1.8.2) were linked to the kit’s infrastructure.
Microsoft’s enforcement of admin consent policies and legacy auth restrictions (effective August 2025) will mitigate future risk. Still, organizations should combine email, cloud, and web security with MFA-resistant authentication like FIDO2 keys.
Contact us : Finstein Cyber — Cybersecurity & VAPT Services
#OAuthSecurity #Microsoft365 #PhishingAlert #AiTMPhishing #TycoonPhaaS #MFABypass #CloudSecurity #ThreatIntel #CyberSecurity #IdentityProtection #ProofpointResearch #MicrosoftEntra #OAuthAbuse #AccountTakeover #CyberThreats #EmailSecurity #WebSecurity #FIDO2 #MFAResistance #ThreatDetection #InfoSec
