Threat actors have cooked up a clever way to slip past multifactor authentication (MFA), tricking users into approving fake app access requests that impersonate trusted brands.
According to Proofpoint findings, attackers are crafting fake Microsoft OAuth apps that mimic trusted brands, like SharePoint and DocuSign, to dupe users and swipe their credentials.
“Proofpoint has identified a cluster of activity using Microsoft OAuth application creation and redirects that lead to malicious URLs enabling credential phishing,” Proofpoint researchers said in a blog post. “The goal of the campaign is to use OAuth applications as a gateway lure to conduct other activities, mostly to obtain access to Microsoft 365 accounts via MFA phishing.”
Microsoft OAuth apps are applications that use Microsoft’s identity platform (Azure AD/ Entra ID) to request permission to access data in services like Microsoft 365, OneDrive, Outlook, Teams, or SharePoint on behalf of a user.
OAuth impersonation for MFA bypass
According to Proofpoint, the impersonated apps used convincing names, logos, and permission prompts to trick users into approving access, without raising alarms.
Once a victim clicked ‘accept’, they were redirected through CAPTCHA to a spoofed Microsoft login page. The CAPTCHA step served as an anti-bot measure, preventing automated scanners from flagging the attack. Behind the scenes, phishing kits like Tycoon or ODx captured both login credentials and session tokens, allowing attackers to bypass MFA and gain persistent access to Microsoft 365 accounts.
“The phishing campaigns leverage multi-factor authentication (MFA) attacker-in-the-middle (AiTM) phishing kits like Tycoon,” researchers added. “Such activity could be used for information gathering, lateral movement, follow-on malware installations, or to conduct additional phishing campaigns from compromised accounts.”
This method is particularly dangerous because OAuth tokens can survive password resets. Even if a compromised user changes their password, attackers can still use the granted permissions to access email, files, and other cloud services until the OAuth token is revoked.
Proofpoint said the campaign abused over 50 trusted brands, including companies like RingCentral, SharePoint, Adobe, and DocuSign.
Microsoft moves to curb the threat
Thousands of malicious messages have been sent from compromised business accounts, as part of the campaign, each impersonating well-known companies. Some lures asked for benign-looking permissions such as “view your profile” and “maintain access to data you have given it access to”.
Proofpoint said it reported the observed apps to Microsoft in early 2025 and noted that the software giant’s upcoming Microsoft 365 default-setting changes, announced in June 2025, are expected to significantly limit attackers’ ability to abuse third-party app access. The updates began rolling out in mid-July and are expected to be completed by August 2025.
Microsoft did not immediately respond to CSO’s request for comments.
Proofpoint recommends implementing effective BEC-prevention measures, blocking unauthorized access in cloud environments, and isolating potentially malicious links in emails to stay ahead of the campaign. Additionally, educating users on Microsoft 365 security risks and strengthening authentication with FIDO-based physical security keys might help. Malicious Microsoft OAuth application IDs and Tycoon fingerprints observed in the campaign were also shared to set detection for.