A newly identified cyberattack campaign is raising serious concerns among security professionals. Threat actors are now using fake Microsoft OAuth applications—designed to mimic legitimate enterprise platforms—to facilitate account takeovers in Microsoft 365 environments.

According to a recent report from Proofpoint, attackers are crafting counterfeit versions of applications such as RingCentral, SharePoint, Adobe, and DocuSign. These fake apps are part of a sophisticated phishing strategy powered by toolkits like Tycoon and ODx, which are capable of bypassing multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) tactics.

How the Attack Works

The campaign begins with phishing emails sent from already compromised accounts. These messages typically appear to be business communications, such as requests for quotes or contract agreements, and include links designed to lure victims into a trap.

Clicking the link redirects users to a Microsoft OAuth authorization page, where they are prompted to grant access to a seemingly benign app—often named something like “iLSMART.” While the requested permissions appear minimal (e.g., basic profile access), they serve as the foothold attackers need to escalate access and launch the next stage of the attack.

Interestingly, “iLSMART” refers to a real online marketplace serving the aviation and defense industries, making the impersonation even more convincing.

Regardless of whether the victim accepts or denies the app permissions, they are redirected to a CAPTCHA page followed by a fake Microsoft login portal. This page uses AiTM phishing techniques from the Tycoon Phishing-as-a-Service (PhaaS) platform to steal usernames, passwords, and even MFA tokens in real time.

Evolving Threat Landscape

This is not an isolated incident. Proofpoint recently identified a similar campaign spoofing Adobe, with emails sent via Twilio SendGrid to add legitimacy. These messages aim to gain user authorization or divert victims to credential-harvesting sites.

The scale of Tycoon-related activity is growing. In the first half of 2025 alone, nearly 3,000 user accounts across 900+ Microsoft 365 environments have been targeted with similar tactics.

Proofpoint warns that attackers are rapidly innovating their methods to evade detection and breach enterprise systems worldwide. AiTM phishing and identity-based attacks are becoming the new normal in the cyber threat landscape.

Microsoft’s Security Response

To counteract these threats, Microsoft has announced upcoming security updates, including:

• Blocking legacy authentication protocols by default
• Requiring admin approval for third-party app permissions

These changes are expected to roll out by August 2025 and are likely to significantly disrupt attacker playbooks relying on outdated authentication methods.

Additional Threats in Play

Meanwhile, other malicious campaigns continue to exploit trust and familiarity:

• Phishing emails using fake payment receipts are delivering the VIP Keylogger, a .NET-based malware capable of stealing sensitive data.
• Since November 2024, attackers have embedded remote access software inside PDF documents disguised as invoices or contracts. The goal: trick users into downloading tools like FleetDeck RMM, Action1, Syncro, Atera, and others for initial access.

Though these RMM tools haven’t yet deployed secondary payloads, security researchers warn that they could be used to enable further compromise, particularly in ransomware operations.

Source: https://thehackernews.com/2025/08/attackers-use-fake-oauth-apps-with.html