Proofpoint has identified a complex phishing campaign using counterfeit Microsoft OAuth applications to evade Multi-Factor Authentication (MFA) and gain illicit access to Microsoft 365 accounts.
Tactics and scale
The campaign involves threat actors creating deceptive Microsoft OAuth applications that impersonate brands including Adobe, DocuSign, and SharePoint. These apps are used in Attacker-in-the-Middle (AiTM) phishing attacks, with the Tycoon phishing kit being the primary tool for harvesting user credentials and intercepting MFA tokens.
Researchers at Proofpoint observed over 50 distinct impersonated applications and nearly 3,000 attempted compromises of Microsoft 365 accounts across more than 900 environments. The confirmed success rate for these attacks has exceeded 50% in 2025. Proofpoint noted that, “Threat actors are creating deceptive Microsoft OAuth applications that impersonate well-known brands such as Adobe, DocuSign, and SharePoint. These malicious apps serve as lures in Attacker-in-the-Middle (AiTM) phishing attacks, primarily utilizing the Tycoon phishing kit, to harvest user credentials and intercept MFA tokens.”
The attacks target a range of industries, with some campaigns tailor-made for specific sectors. For instance, lures directed at aerospace and defence firms use industry language such as “request-for-quotes” (RFQs) and impersonate services like ILSMart. According to the company, “The attacks are often highly tailored. While many campaigns impersonate general enterprise applications, some are customized to specific industries. For instance, Proofpoint observed lures targeting the aerospace and defense sector, using themes like ‘request-for-quotes’ (RFQs) and impersonating industry-specific services such as ILSMart.”
Attack method
Each campaign typically begins with phishing emails, often sent from accounts that have already been compromised, containing links to a fraudulent OAuth consent page. Users are encouraged to permit what appear to be routine permissions for a familiar application. Whether permissions are accepted or declined, users are redirected to a fabricated Microsoft login page, frequently incorporating the target organisation’s Entra ID branding.
The fake login page harvests credentials and intercepts MFA tokens using AiTM techniques, giving attackers full access to Microsoft 365 accounts. “The attack flow typically begins with phishing emails, often sent from compromised accounts, containing links to a malicious OAuth consent page. Users are prompted to ‘accept’ seemingly benign permissions for the fake application. Regardless of whether permissions are accepted or canceled, the user is redirected to a counterfeit Microsoft login page, often branded with their organization’s Entra ID. This page then harvests credentials and intercepts MFA tokens via AiTM techniques, granting attackers access to Microsoft 365 accounts.”
Use of Tycoon platform
Much of the observed malicious activity has links to the Tycoon Phishing-as-a-Service platform. Tycoon is designed to intercept credentials and session cookies in real-time, enabling threat actors to bypass MFA restrictions. Proofpoint’s research indicates a shift in operational infrastructure by these groups, moving from Russian proxy services to US-based data centre hosts, in a probable effort to avoid detection. “Much of this activity is linked to the Tycoon Phishing-as-a-Service (PhaaS) platform. Tycoon is widely available to cybercriminals and is designed to intercept credentials and session cookies in real-time, effectively bypassing MFA. Proofpoint also noted a recent shift in the campaign’s operational infrastructure, moving from Russia-based proxy services to a U.S.-based data center hosting service, potentially an effort to evade detection.”
Defensive measures
Threat actors are creating increasingly innovative attack chains in an attempt to bypass detections and obtain access to organisations globally. Proofpoint anticipates threat actors will increasingly target users’ identity, with AiTM credential phishing becoming the criminal industry standard.
Recommendations for mitigation include monitoring and blocking malicious email threats, identifying account takeover attempts and unauthorised resource access, employing solutions that provide rapid detection of account compromise, and using auto-remediation features to limit the time attackers have in a system. Web session isolation and ongoing user education, particularly around recognising suspicious Microsoft 365-related requests, are also important. Proofpoint advises, “Email security: Block and monitor malicious email threats targeting your users. Effective BEC-prevention solutions can greatly minimise practical attack surfaces. Cloud security: Identify account takeover (ATO) and unauthorized access to sensitive resources within your cloud environment. These solutions should provide accurate and timely detection of both the initial account compromise and post-compromise activities, including visibility into abused services and applications. Employ auto-remediation capabilities to reduce attackers’ dwell time and potential damages. Web security: Isolate potentially malicious sessions initiated by links embedded in email messages. Security awareness: Educate users to be aware of these risks when using Microsoft 365. FIDO: Consider adopting FIDO-based physical security keys.”
Anticipated impacts
Proofpoint notes that upcoming Microsoft updates for Microsoft 365, scheduled for deployment from July to August 2025, are expected to affect these attack techniques significantly. These changes will block legacy authentication protocols and require administrative consent for third-party app access.
Proofpoint stated, “Proofpoint anticipates a positive impact from Microsoft’s recent updates to default settings for Microsoft 365. Rolling out from July to August 2025, these changes will block legacy authentication protocols and require admin consent for third-party app access, which are expected to significantly disrupt these attack methods.”