The OAuth Phishing Trap: Proofpoint Exposes AiTM Attacks That Bypass MFA to Hijack Cloud Accounts • Daily CyberSecurity

Proofpoint has revealed a persistent wave of adversary-in-the-middle (AiTM) phishing campaigns that exploit Microsoft OAuth applications to hijack cloud identities. By creating malicious OAuth apps and redirecting victims to fake login portals, attackers are bypassing multifactor authentication (MFA) protections—and they’re using household names like Adobe, DocuSign, and SharePoint to do it.

“The goal of the campaigns is to use OAuth applications as a gateway lure to conduct other activities, mostly to obtain access to Microsoft 365 accounts via MFA phishing,” Proofpoint explains.

These phishing campaigns mimic legitimate Microsoft 365 login flows but are, in fact, highly orchestrated deceptions. Fake OAuth applications are registered in Azure, requesting limited scopes like “view your basic profile” and “maintain access to data”—which seem harmless but serve a bigger purpose: setting the trap.

Landing page for requested permissions from malicious OAuth app | Image: Proofpoint

“Whether the target clicked either Cancel or Accept… they would be redirected to a CAPTCHA page. If solved, it led to a counterfeit Microsoft authentication page.”

This phishing portal is hosted by the Tycoon Phishing-as-a-Service (PhaaS) platform, known for its ability to proxy login sessions in real time, capture credentials, and intercept MFA tokens using the “axios” HTTP client.

Proofpoint observed a wide array of email lures, including:

RFQ-themed emails impersonating ILSMart (an aerospace inventory service)
Adobe-themed phishing links sent via SendGrid
DocuSign impersonations across multiple industries

In one example, users were shown an OAuth app called iLSMART, requesting benign permissions. If granted, they were funneled to a fake Microsoft login page branded with their organization’s own Entra ID theme—deepening the illusion of legitimacy.

“This page… was designed to harvest credentials, and intercept 2FA approved token associated with the session cookie.”

Proofpoint’s threat telemetry revealed over two dozen malicious OAuth apps targeting more than 20 Microsoft 365 tenants. While not all resulted in successful breaches, at least five confirmed account takeovers (ATOs) were linked to fake apps like “Adobe” and “OneDrive-2025.”

In each case, signs of persistent access attempts—like the “Security Method Add” action—suggested attackers were working to establish long-term control of accounts.

“Initial ATO activity used the user agent string ‘axios/1.7.9’… pointing to potential use of the Tycoon phishing kit.”

Since early 2025, Proofpoint has recorded nearly 3,000 attempted account compromises across more than 900 Microsoft 365 environments, with a success rate exceeding 50%. This highlights the growing sophistication of AiTM phishing and its ability to sidestep traditional defenses.

The Tycoon platform plays a central role. It is used by multiple threat actors to intercept login flows in real-time, proxying both credential and MFA token capture without the user’s knowledge.

“Tycoon proxies login pages, enabling threat actors to capture primary credentials and session tokens in a single attack flow.”

To combat these hybrid cloud and email threats, Proofpoint recommends a multi-layered defense strategy:

Email Security: Block impersonation emails before they reach users.
Cloud Security: Detect unauthorized access and malicious OAuth apps.
Web Isolation: Sandbox email-based sessions to prevent credential theft.
Security Awareness: Train users to recognize consent-based attacks.
FIDO Authentication: Adopt phishing-resistant physical security keys.

Rate this post

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Related Posts:

Support Our Threat Intelligence

Related posts:

Leave a Reply Cancel reply