Cybersecurity researchers have uncovered a coordinated campaign in which threat actors are impersonating trusted enterprises using fraudulent Microsoft OAuth applications to hijack user accounts.

Proofpoint reports that attackers are creating fake Microsoft 365 apps mimicking well-known services such as SharePoint, Adobe, RingCentral, and DocuSign. First observed in early 2025, these phishing campaigns leverage advanced toolkits like Tycoon and ODx to bypass multi-factor authentication (MFA), exploiting Microsoft’s OAuth framework as an entry point for credential harvesting.

The attack typically begins with phishing emails sent from compromised accounts, often framed as requests for quotes or contracts. Victims are redirected to a spoofed Microsoft OAuth authorization page for a fraudulent app named “iLSMART,” impersonating a legitimate marketplace in the aviation sector. Even if users deny access, they are led through CAPTCHA checks and redirected to a convincing Microsoft login page that uses adversary-in-the-middle (AitM) tactics to collect credentials and MFA tokens. Recent variants of the attack have also spoofed Adobe via Twilio SendGrid emails, highlighting the attackers’ evolving methods to deceive users and manipulate OAuth permissions for deeper access.

This campaign is part of a broader surge in identity-based attacks, with nearly 3,000 user accounts across over 900 Microsoft 365 environments targeted in 2025 alone. Attackers are increasingly using remote monitoring and management (RMM) tools such as FleetDeck, Action1, and ScreenConnect for initial access, often hidden within seemingly benign PDFs disguised as invoices or contracts. While Microsoft is rolling out updates to restrict legacy authentication and require admin consent for third-party apps by August 2025, the continued abuse of identity infrastructure underscores the urgent need for robust identity security and risk assessments across organizations globally.