216.73.217.139

Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing

· Published 01/08/2025 15:39 · Modified 04/08/2025 10:49

Export JSON

Essential information

Published
01/08/2025 15:39
Modified
04/08/2025 10:49
Tags
2025-08-01 aitm application impersonation credential-theft mfa bypass microsoft 365 oauth phishing tycoon
Related entities
4 techniques (mitre), 1 malware, 3 others

Description

Proofpoint has uncovered a sophisticated campaign utilizing fake Microsoft applications to bypass multifactor authentication and steal credentials. The threat actors impersonate various enterprise apps like RingCentral, SharePoint, Adobe, and DocuSign to lure victims. The attack chain involves app creation, redirects to malicious URLs, and the use of attacker-in-the-middle kits, predominantly . This technique has been observed in email campaigns with over 50 impersonated applications, targeting multiple industries. The campaign's goal is to gain access to accounts, potentially for information gathering, lateral movement, malware installation, or further attacks.

External references