New Phishing Scam Targets Microsoft 365 Users

A sophisticated phishing campaign has been uncovered, exploiting counterfeit Microsoft OAuth applications to bypass Multi-Factor Authentication (MFA) and illegally access Microsoft 365 accounts. This alarming trend, identified by cybersecurity firm Proofpoint, showcases the lengths cybercriminals will go to deceive unsuspecting users.

Deceptive Tactics and Scale of the Attack

In this latest scam, attackers have created fake Microsoft OAuth applications that impersonate reputable brands such as Adobe and DocuSign. These phony applications are utilized in Attacker-in-the-Middle (AiTM) phishing attacks, with the infamous Tycoon phishing kit playing a central role in collecting user credentials and intercepting MFA tokens. Researchers at Proofpoint reported over 50 fake apps and nearly 3,000 attempts to breach Microsoft 365 accounts, revealing an astonishing success rate of over 50%.

Tailored Attacks Target Specific Industries

The phishing attacks appear to be meticulously tailored for different sectors. For example, lures aimed at aerospace and defense companies specifically use terminology like 'request-for-quotes' (RFQs). Proofpoint stated that some campaigns focus on specific industries, enhancing their effectiveness by mimicking industry-specific services.

How the Attack Works

These scams kick off with phishing emails, often sent from already compromised accounts, containing links to fake consent pages for OAuth. Users are misled into granting what seem like harmless permissions for legitimate-looking applications. Regardless of whether they accept or decline, victims are redirected to a fraudster-designed Microsoft login page that mimics their organization’s Entra ID branding, harvesting their credentials and MFA tokens.

The Role of Tycoon Phishing-as-a-Service

A significant amount of this malicious activity is connected to the Tycoon Phishing-as-a-Service platform, which allows attackers to intercept credentials and session cookies in real time, circumventing MFA measures. Proofpoint's findings suggest a shift in the operational base of these cybercriminals from Russian proxies to US-based hosting services, possibly to dodge detection.

Defensive Strategies to Combat Phishing

As attackers develop more cunning methods, cybersecurity experts urge organizations to adopt proactive measures. Key recommendations include monitoring for malicious email threats, implementing rapid detection solutions for account breaches, and using auto-remediation features to minimize an attacker's presence in compromised systems. Additionally, continuous user education on recognizing suspicious requests related to Microsoft 365 is critical.

Future Countermeasures from Microsoft

Anticipated updates from Microsoft, set to roll out between July and August 2025, may significantly impact these phishing tactics by blocking outdated authentication protocols and requiring admin consent for third-party applications. Proofpoint predicts these changes will disrupt the effectiveness of such cyberattacks, marking a positive step toward securing digital environments.