Researchers have observed a sharp increase in cyberattacks targeting Microsoft 365 users, using a combination of fake OAuth applications and advanced phishing kits. According to a recent report by Proofpoint, hackers are now impersonating well-known brands such as Adobe, DocuSign, SharePoint, and RingCentral to trick users into giving them access to their Microsoft accounts.
These attacks are part of a broader trend where threat actors aim to compromise user identities by bypassing multi-factor authentication (MFA) through Adversary-in-the-Middle (AitM) techniques. At the heart of these operations is the Tycoon Phishing-as-a-Service (PhaaS) platform, which makes it easier for cybercriminals to launch large-scale, customized phishing campaigns.
The attack starts with a phishing email. These emails, often sent from already compromised accounts, pretend to be legitimate business communications such as Requests for Quotes (RFQs), invoices, or contract agreements. The message includes a link that leads to what appears to be a Microsoft OAuth authorization page.
One such example is an application named “iLSMART”, which falsely claims to be from ILSMart, a real marketplace for aviation and defense services. This fake app asks users to grant permission to view their profile and maintain access to data. While the permissions seem harmless, they serve as the entry point for the attackers.
Regardless of whether the victim accepts or denies these permissions, they are redirected to a CAPTCHA page and then taken to a counterfeit Microsoft login page. This page uses AitM phishing to steal both the user’s password and the MFA code, giving attackers full access to the victim’s account.
What sets this campaign apart is the scale and sophistication. More than 50 fake applications have been observed, each designed to look like a trusted enterprise tool. These attacks are not limited to one brand or one type of organization.
In a separate campaign last month, attackers used Adobe-branded phishing emails sent through Twilio SendGrid, a known email marketing platform. The emails pushed users either to authorize access or to cancel an action—both flows ultimately led to a phishing page designed to harvest credentials.
So far in 2025, Proofpoint has recorded nearly 3,000 attempted account takeovers, affecting over 900 different Microsoft 365 tenants. This clearly indicates that the Tycoon platform is being widely used by multiple cybercriminal groups.
These incidents show how cybercriminals are evolving their tactics. Instead of only targeting weak passwords or using traditional phishing, they now focus on identity theft and MFA bypass techniques. The use of fake OAuth apps gives attackers a seemingly legitimate method to trick users, bypass spam filters, and avoid immediate detection.
Proofpoint warns that AiTM phishing is becoming a “criminal industry standard”, and predicts that attackers will continue to exploit user trust and identity mechanisms in the months ahead.
In response to growing identity-based attacks, Microsoft is rolling out new default security settings. These include:
Blocking legacy authentication protocols, which are easier to exploit.
Requiring admin consent for third-party app access to Microsoft 365 data.
These changes are expected to be implemented by August 2025, and should make it more difficult for fake OAuth apps to succeed in future campaigns.
Microsoft has also announced that it will block external workbook links to certain file types by default between October 2025 and July 2026 to enhance overall Office 365 security.
In parallel with the OAuth scams, researchers have observed other sophisticated phishing operations. One such campaign involves the VIP Keylogger, a .NET-based malware delivered using an AutoIt injector. Victims receive emails with fake payment receipts, and once infected, the malware silently steals sensitive data.
Another ongoing campaign—dating back to November 2024—relies on PDF attachments that hide installation links for Remote Monitoring and Management (RMM) tools like FleetDeck RMM, Action1, Syncro, Atera, and ScreenConnect. These PDFs often pretend to be invoices, property listings, or legal documents to lure users into clicking.
Though these campaigns haven’t yet been linked to ransomware deployments, the use of RMM tools is a known tactic among ransomware gangs to establish footholds in corporate environments.
The rise of OAuth-based phishing and Tycoon PhaaS tools reflects the shifting nature of cyber threats. As organizations strengthen traditional defenses like firewalls and antivirus, attackers are pivoting toward identity-based attacks that exploit trust and human error.
Cybersecurity professionals must take extra precautions, including:
Enabling conditional access and MFA policies.
Blocking legacy authentication.
Reviewing OAuth app permissions regularly.
Educating employees about phishing and identity theft.
With Microsoft hardening its default configurations and raising security standards, the hope is that these steps will limit the effectiveness of such large-scale phishing operations. However, vigilance remains essential, especially as cybercriminals continue to adapt their methods.
Interesting Article : Dahua IP Cameras at Risk: CVE-2025-31700 and CVE-2025-31701
Pingback: Akira Ransomware Exploits SonicWall VPNs in Likely Zero Day Attack