Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing
Proofpoint, Thursday, July 31st, 2025
Proofpoint has identified a cluster of activity using Microsoft OAuth application creation and redirects that lead to malicious URLs enabling credential phishing. The fake Microsoft 365 applications impersonate various companies including RingCentral, SharePoint, Adobe, and DocuSign. Proofpoint first observed this activity in early 2025 and remains ongoing.
The goal of the campaigns is to use OAuth applications as a gateway lure to conduct other activities, mostly to obtain access to Microsoft 365 accounts via MFA phishing. The phishing campaigns leverage multifactor authentication (MFA) attacker-in-the-middle (AiTM) phishing kits, predominately Tycoon. Such activity could be used for information gathering, lateral movement, follow-on malware installation, or to conduct additional phishing campaigns from compromised accounts.