Listen to this Post
A Growing Threat to Enterprise Security
In early 2025, cybersecurity experts uncovered a sophisticated wave of cyberattacks where hackers impersonate legitimate companies using fake Microsoft OAuth applications. These deceptive apps, mimicking trusted names like SharePoint, DocuSign, Adobe, and RingCentral, are being used to bypass security defenses and launch full-scale credential harvesting campaigns. With phishing techniques advancing rapidly, even multi-factor authentication (MFA) is no longer a reliable barrier against these attacks. This article explores how attackers use these fakes to infiltrate businesses, how the scam works, and what’s being done to fight back.
Inside the Attack: How Hackers Are Exploiting Microsoft OAuth
Cybersecurity firm Proofpoint has revealed an alarming pattern of credential theft that revolves around impersonating trusted enterprise tools via Microsoft OAuth applications. Beginning in early 2025, attackers have leveraged phishing kits like Tycoon and ODx to target users with fraudulent permission requests through Microsoft 365.
The campaigns typically start with phishing emails, often appearing as requests for quotes (RFQ) or contract agreements. These emails are sent from already-compromised accounts to increase their credibility. Once recipients click on the link, they are directed to a Microsoft OAuth authorization page for a seemingly legitimate app called “iLSMART”—a real online marketplace in the aviation and defense sector. The app requests permission to access user data, a move that may not seem suspicious to the average user.
Regardless of whether the victim accepts or denies the request, they’re then redirected to a CAPTCHA page, followed by a counterfeit Microsoft login page. Here, Adversary-in-the-Middle (AiTM) phishing is deployed using the Tycoon Phishing-as-a-Service (PhaaS) platform, stealing both credentials and MFA tokens in real time.
In one recent example, attackers posed as Adobe, sending phishing emails through Twilio SendGrid to lure users into authorizing malicious apps or entering login information. This is just one variation of the attack. More than 50 impersonated applications have already been identified.
Throughout 2025, nearly 3,000 Microsoft 365 accounts across 900+ organizations have been targeted. Threat actors continue to evolve, with AI-based phishing expected to become the new criminal industry standard. Microsoft is responding by tightening security measures: legacy authentication protocols are being blocked, and new default settings will require admin consent for third-party app access by August 2025.
Meanwhile, other attack vectors have been uncovered. Spear-phishing emails using PDFs disguised as invoices or contracts are being used to install Remote Monitoring and Management (RMM) tools like FleetDeck RMM, Syncro, Atera, and SuperOps. These campaigns have been particularly active in France, Luxembourg, Belgium, and Germany since November 2024.
Although these RMM tools don’t always deliver malware immediately, they often serve as initial access points for ransomware operators and other advanced threat actors. Researchers believe these techniques may escalate if not effectively countered.
🔍 What Undercode Say:
The Anatomy of the Attack Chain
Undercode analysts recognize this as a multi-stage attack—a sophisticated blend of social engineering, phishing, and cloud application manipulation. These campaigns exploit both user trust and the open nature of OAuth’s design. By mimicking real applications and leveraging compromised business accounts, attackers bypass traditional email filters and exploit identity-based weaknesses.
MFA Is No Longer Enough
The use of Adversary-in-the-Middle (AiTM) techniques is a game changer. It allows threat actors to intercept session tokens and MFA codes in real-time, rendering even robust security systems ineffective. This marks a new era in phishing, where real-time credential theft becomes industrialized via PhaaS platforms like Tycoon.
RMM Tools as a Backdoor Strategy
What’s especially concerning is the growing deployment of legitimate RMM tools in these attacks. They may appear benign at first, but they give threat actors a persistent foothold in the victim’s system. This allows for stealthy data exfiltration, lateral movement, or even ransomware deployment.
The Shift Toward Identity-Centric Attacks
Undercode highlights a key trend: attackers are focusing less on traditional malware and more on identity compromise. With access to a user’s Microsoft 365 credentials and tokenized sessions, they can infiltrate cloud environments, manipulate documents, and hijack communications—without ever triggering antivirus or EDR tools.
Defensive Measures Falling Behind
Although Microsoft’s upcoming security updates are promising, the pace of attacker innovation may outstrip defense improvements. Undercode stresses the importance of user education, zero-trust policies, conditional access controls, and continuous session monitoring. Businesses must assume that breaches are inevitable and plan accordingly.
✅ Fact Checker Results:
The iLSMART impersonation was accurately confirmed by Proofpoint.
Campaigns using Tycoon PhaaS and AiTM phishing were verified to target Microsoft 365 accounts.
Microsoft’s planned OAuth and authentication changes are official and scheduled for August 2025.
🔮 Prediction:
By late 2025, we expect to see increased adoption of AI-driven phishing services, more frequent impersonations of SaaS platforms, and a greater emphasis on identity-based attacks over malware payloads. Organizations failing to modernize their cloud security and educate their users are likely to become prime targets in the next wave of credential theft campaigns.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
