Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing

August 1, 2025 Yanac

Key findings

Threat actors are impersonating various enterprises with fake Microsoft OAuth applications to steal credentials.
These campaigns bypass multifactor authentication (MFA).
While many impersonate enterprise apps, some are customized to specific software used in targeted industries.

Overview

Proofpoint has identified a cluster of activity using Microsoft OAuth application creation and redirects that lead to malicious URLs enabling credential phishing. The fake Microsoft 365 applications impersonate various companies including RingCentral, SharePoint, Adobe, and DocuSign. Proofpoint first observed this activity in early 2025 and remains ongoing.

The goal of the campaigns is to use OAuth applications as a gateway lure to conduct other activities, mostly to obtain access to Microsoft 365 accounts via MFA phishing. The phishing campaigns leverage multifactor authentication (MFA) attacker-in-the-middle (AiTM) phishing kits, predominately Tycoon. Such activity could be used for information gathering, lateral movement, follow-on malware installation, or to conduct additional phishing campaigns from compromised accounts.

Proofpoint has observed this technique in email campaigns with over 50 impersonated applications, and multiple different phishing kits using this attack chain including Tycoon and ODx. Proofpoint threat researchers have seen a smaller number of observed applications and follow-on activity in cloud threat data. Proofpoint reported the observed apps to Microsoft.

Notably, in June 2025, Microsoft announced it is updating default settings in Microsoft 365 by “blocking legacy authentication protocols and requiring admin consent for third-party app access. Changes start mid-July 2025 and complete by August 2025.” This update will have a positive impact on the landscape overall and will hamstring threat actors that use this technique.

Campaign details

In observed email campaigns, messages are often sent from compromised email accounts and include subjects related to request for quotes or business contract agreements. The campaigns typically include thousands of messages and impact hundreds of customers. However, while most campaigns impersonate enterprise applications and services, some of the impersonated applications may change based on the compromised sender and general industry vertical targeting.

ILSMart impersonation

In a campaign observed in March 2025, the compromised sender belonged to a small, U.S-based aviation firm with a request for quote (RFQ) lure theme impersonating ILSMart, an inventory locating service for aerospace and defense companies.

Lure impersonating ILS.

The messages contained a URL that led to a Microsoft OAuth page for an application named “iLSMART”. The application requested the following access:

View your basic profile
Maintain access to data you have given it access to

Landing page for requested permissions from malicious OAuth app.

If the target accepted the permissions, it granted those limited rights (listed above) on the target’s account to the attacker. The applications’ permissions would provide limited use to an attacker, but it is used for setting up the next stage of the attack. Whether the target clicked either Cancel or Accept as depicted in the diagram above, they would be redirected to a CAPTCHA page. In this case, if solved, it led to counterfeit Microsoft authentication page.

Fake Microsoft landing page, capturing MFA.

This fake Microsoft page presented the user’s organization Entra ID branding and was designed to harvest credentials, and intercept 2FA approved token associated with the session cookie. This was achieved through the AiTM technique, using synchronous relay capabilities provided by the Tycoon Phishing-as-a-Service (PhaaS) platform.

Application configuration:

$Config={“sAppName”:”iLSMART”,”sAppWebsite”:”chrnobinson[.]com”,”arrAppReplyUrls”:[“https[:]//azureapplicationregistration[.]pages[.]dev/redirectapp”],”sAppCreatedDate”:”3/17/2025″,”arrScopes”:[{“label”:”View your basic profile”,”description”:”Allows the app to see your basic profile (e[.]g., name, picture, user name, email address)”,”adminLabel”:”View usersu0026#39; basic profile”,”adminDescription”:”Allows the app to see your usersu0026#39; basic profile (e[.]g., name, picture, user name, email address)”},{“label”:”Maintain access to data you have given it access to”,”description”:”Allows the app to see and update the data you gave it access to, even when you are not currently using the app. This does not give the app any additional permissions.”,”adminLabel”:”Maintain access to data you have given it access to”,”adminDescription”:”Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.”}]

Adobe example

In June 2025, Proofpoint observed a campaign impersonating Adobe. Messages were sent via SendGrid and contained a unique SendGrid URL that redirected to an intermediate redirector that then redirected to an OAuth “Redirector App” on Microsoft Azure.

Lure impersonating Adobe containing a phishing URL.

“Redirector app” landing page.

Whether a person clicked Cancel or Accept, the attack flow is the same. They were redirected via another intermediate URL to a counterfeit Microsoft authentication page. This page presented the user’s organization Entra ID branding and is designed to harvest user credentials, 2FA token and retrieve associated session cookie using Tycoon.

Application configuration:

Client_id: 854189f9-4c71-44bb-9880-dd0c2f75922a

Scope: openid+email+profile

Redirect_uri: hxxps://chikeukohandco[.]com/saas/Index.html

Response_type: id_token

State: 01812921

Response_mode: fragment

Nonce: 300430

Uaid: ca41e736dd134b5cada2ad17881ea542

Msproxy: 1

Issuer: mso

Tenant: common

Ui_locales: en-US

Signup: 1

Lw: 1

Fl: easi2

Cloud tenant impacts

Based on Proofpoint’s visibility into its cloud tenant infrastructure, in early 2025, Proofpoint researchers identified more than two dozen malicious applications exhibiting similar characteristics. These applications shared a consistent pattern in their reply URLs and commonly requested benign OAuth scopes (e.g., profile, email, openid).

Impersonation and intent

Out of the total identified applications, four applications impersonated Adobe applications, five impersonated DocuSign, and all the others had distinct, unrelated names. Despite their naming differences, the goal of these applications was the same: gaining user authorization or triggering a cancellation flow that redirected the victim to a phishing page.

Scope and spread

These applications were authorized by more than two dozen users in more than 20 different tenants. However, evidence of actual account takeovers (ATOs) was found only in five cases. This suggests that:

These malicious apps acted primarily as phishing lures.
With narrow scopes, the applications alone could not compromise accounts unless users submitted credentials on the phishing page. The small number of ATOs indicates a low overall success rate.

ATO case breakdown

In one cluster, four users were impacted by the fake “Adobe” app, which had the reply URL: hxxps[:]//workspacesteamworkspace[.]myclickfunnels[.]com/offices–af295]

Example phishing flow or application consent prompt for impersonated Adobe app.

In all those cases, initial ATO activity used the user agent string “axios/1.7.9” pointing to potential use of the Tycoon phishing kit. In all cases the sign in application was “OfficeHome”. While Proofpoint observed additional phish kits distributed via email, our researchers only observed Tycoon campaigns in cloud tenant data.

Additional incident: App OneDrive-2025

In another case, one user was impacted by the app “OneDrive-2025” with the reply URL:
hxxps[:]//cleansbeauty[.]com/lost/apc.html

Like the previous cluster, the similar user agent string was observed “axios/1.8.2”. Other sign-in applications used in these flows included: “OfficeHome”, “My Profile”, “Microsoft Account Controls V2”, “My Signins”.

Following sign-in, the researchers observed MFA manipulation, particularly the “Security Method Add” action—likely indicating the attacker’s attempt to gain persistence in the compromised accounts.

Axios user agent and the link to Tycoon phishing kit

The activity documented in this report represents a small subset of Tycoon activity. Many threat actors use Tycoon as it is a broadly available phishing-as-a-service that can be purchased by cybercriminals.

Proofpoint researchers are tracking ongoing account takeover activity by multiple activity clusters linked to the Tycoon framework, which is built to intercept credentials and session cookies in real time, effectively bypassing MFA. Like other AiTM platforms, Tycoon proxies login pages, enabling threat actors to capture primary credentials and session tokens in a single attack flow. 

According to Proofpoint research, Tycoon’s Microsoft 365 targeted operations, identified by its use of the Axios HTTP client, remain effective at compromising enterprise accounts. (Analyst note: in January 2025, Proofpoint researchers published details on Axios HTTP clients. Subsequent investigation attributed most of this activity to Tycoon phishing campaigns.)

So far in 2025, Proofpoint has observed attempted account compromises affecting nearly 3,000 user accounts across more than 900 Microsoft 365 environments, with a confirmed success rate exceeding 50%. 

In late April 2025, Proofpoint researchers identified a shift in the campaign’s operational infrastructure. An abused U.S.-based DCH (Data Center Hosting) service appears to have replaced previously used Russia-based proxy services. This change could signal an effort to evade detection following public exposure of earlier infrastructure. 

Graph showing the different infrastructure used by Tycoon.

Conclusion

Threat actors are creating increasingly innovative attack chains in an attempt to bypass detections and obtain access to organizations globally. Proofpoint anticipates threat actors will increasingly target users’ identity, with AiTM credential phishing becoming the criminal industry standard.

Below are ways to help your organization defend against advanced hybrid (email and cloud) threats:

Email security: Block and monitor malicious email threats targeting your users. Effective BEC-prevention solutions can greatly minimize practical attack surfaces.
Cloud security: Identify account takeover (ATO) and unauthorized access to sensitive resources within your cloud environment.

These solutions should provide accurate and timely detection of both the initial account compromise and post-compromise activities, including visibility into abused services and applications.
Employ auto-remediation capabilities to reduce attackers’ dwell time and potential damages.

Web security: Isolate potentially malicious sessions initiated by links embedded in email messages.
Security awareness: Educate users to be aware of these risks when using Microsoft 365.
FIDO: Consider adopting FIDO-based physical security keys (https://fidoalliance.org/how-fido-works).

Contact Proofpoint to learn more about how we can help your organization protect cloud apps and secure Microsoft 365 cloud environments.

Analyst note: Proofpoint previously attributed an overlap in activity associated with the app impersonation described in this report with ClickFix campaigns. After additional research, this was proven to be inaccurate, and Proofpoint has not observed the activity in this report associated with any campaigns leveraging ClickFix.

Indicators of compromise

Indicator

Description

First Seen

hxxps[:]//azureapplicationregistration[.]pages[.]dev/redirectapp

Redirector to Tycoon

18 March 2025

hxxps://9b031a44-7158758d[.]yrqwvevbjcfv[.]es/SZgm3kXA/

Tycoon Landing

18 March 2025

yrqwvevbjcfv[.]es

Tycoon Landing Domain

18 March 2025

hxxps://n3xxk[.]gmlygt[.]ru/chai!0jwio

Tycoon Antibot (Example)

18 March 2025

gmlygt[.]ru

Tycoon Antibot (Example)

18 March 2025

2a00:b703:fff2:35::1

Example of Signin Facing IP for Tycoon

18 March 2025

hxxps://chikeukohandco[.]com/csi/index.html?redirect_mongo_id=
684aaffb62194c1eaec5076d&utm_source=Springbot&utm_medium=Email
&utm_campaign=684aaffb62194c1eaec5076e

SendGrid URL to Tycoon Redirector

12 June 2025

hxxps://chikeukohandco[.]com/saas/Index.html

Redirector to Tycoon

12 June 2025

pw5[.]haykovx[.]es

Tycoon Landing Domain

12 June 2025

14b2864e-3cff-4d33-b5cd-7f14ca272ea4