top of page
  • LinkedIn
  • Facebook
  • Instagram
Search

Trust Hijacked: How Fake OAuth Apps Bypass MFA and Breach Microsoft 365

Overview

According to Proofpoint, since early 2025, threat actors have been exploiting Microsoft’s OAuth 2.0 authorization framework by registering deceptive third-party applications that impersonate legitimate services such as Adobe, DocuSign, and RingCentral. These fake applications are used to trick users into granting access permissions, allowing attackers to harvest credentials and session tokens. Despite the use of multifactor authentication (MFA), organizations remain vulnerable because attackers can intercept session cookies in real time.


Attack Details

Figure 1: Phishing Attack Flow Using OAuth and AiTM Techniques
Figure 1: Phishing Attack Flow Using OAuth and AiTM Techniques

According to Proofpoint, these attacks often start with targeted spearphishing emails. The emails are crafted to resemble legitimate business correspondence, such as requests for quotations or contract updates. When users click on the embedded links, they are redirected to an OAuth 2.0 consent page hosted by Microsoft but controlled by the attacker. This page asks for access permissions under the guise of a trusted brand.

Regardless of whether the user approves or cancels the request, the process continues by redirecting them through a CAPTCHA verification page. After that, the user encounters a counterfeit Microsoft login form. Proofpoint reports that the attackers deploy the Tycoon 2FA phishing kit, which captures the user’s credentials, one-time passcodes, and session cookies in real time. Tycoon 2FA acts as a proxy, sitting between the victim and legitimate Microsoft servers to intercept authentication data.

As outlined by Microsoft, OAuth 2.0’s authorization code flow uses specific parameters like client_id, redirect_uri, and response_type=code. These are meant to ensure that only trusted apps can access resources. However, attackers abuse these parameters by registering applications with malicious redirect URIs, thereby misleading users.


Operational Impact

Once the attackers successfully harvest session cookies, they gain unauthorized access to Microsoft 365 accounts without the need to re-authenticate. This allows them to read sensitive emails, download documents, and even send additional phishing emails from the compromised account. As described by Proofpoint, the attackers may proceed to steal data, spread ransomware, or impersonate internal staff to extend their campaign.

The MITRE ATT&CK framework identifies this tactic under Spearphishing Link (T1566.002), which involves luring victims to malicious URLs to gain access credentials or deliver further payloads.

According to The Hacker News, the broader implications of this campaign include reputational harm, erosion of trust, regulatory scrutiny, and business disruption due to unauthorized data access or system compromise.


Defence Strategies

Organizations can take the following measures to reduce exposure to OAuth-based phishing threats:

  1. Restrict Third-Party App Consent: Microsoft advises organizations to configure consent policies to require administrator approval for all third-party OAuth apps. Permissions should be limited to the least privilege necessary.

  2. Strengthen Authentication Methods: Based on Proofpoint’s guidance, migrating to phishing-resistant MFA methods such as FIDO keys or smartcards can eliminate the opportunity for real-time interception using attacker-in-the-middle kits like Tycoon 2FA.

  3. Monitor OAuth Registrations: Organizations should continuously monitor for anomalous OAuth app behaviours. As recommended by Proofpoint alerts should be configured for newly registered apps, suspicious redirect URIs, and mismatches between app names and domains.

  4. Disable Legacy Authentication: Microsoft strongly recommends disabling legacy authentication protocols across Microsoft 365 environments. These outdated methods lack adequate protections and increase exposure to automated credential-stuffing attacks.

  5. Run Awareness and Simulation Programs: The Hacker News emphasizes the importance of cybersecurity awareness. Employees should be educated on how to identify fraudulent OAuth prompts and redirect URIs. Simulated phishing campaigns can be used to reinforce this training.

Resources

  1. Microsoft identity platform and OAuth 2.0 authorization code flow https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow

  2. Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing – Proofpoint https://www.proofpoint.com/us/blog/threat-insight/microsoft-oauth-app-impersonation-campaign-leads-mfa-phishing

  3. Tycoon 2FA: Phishing Kit Being Used to Bypass MFA – Proofpoint https://www.proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass

  4. Phishing: Spearphishing Link (T1566.002) – MITRE ATT&CK https://attack.mitre.org/techniques/T1566/002/

  5. Attackers Use Fake OAuth Apps with Tycoon Kit to Breach Microsoft 365 Accounts – The Hacker News https://thehackernews.com/2025/08/attackers-use-fake-oauth-apps-with.html



 
 
 

Comments

bottom of page