Cybersecurity experts have reported a wave of attacks involving fraudulent Microsoft OAuth applications created to mimic well-known companies such as RingCentral, SharePoint, Adobe, and Docusign. These applications are being used to harvest credentials and compromise Microsoft 365 accounts.
Detected in early 2025, the campaign relies on phishing kits like Tycoon and ODx, which target victims with multi-factor authentication phishing. More than 50 impersonated apps have surfaced in email scams that begin with requests for quotes or business contract proposals sent from hijacked email accounts.
Victims clicking the embedded links are redirected to a page for a supposed Microsoft OAuth application called "iLSMART," which requests access to basic profile data. This app impersonates a legitimate aviation marketplace, making the bait more convincing.
Proofpoint revealed that regardless of user consent, they are routed through a CAPTCHA page and subsequently to a fake Microsoft login page. This phishing page, powered by Tycoon’s Phishing-as-a-Service platform, captures login credentials and MFA tokens.
A similar campaign spoofed Adobe emails using Twilio SendGrid, manipulating users into granting permissions or initiating cancellation flows that eventually lead to credential theft.
These tactics are part of a broader trend. In 2025 alone, attackers have attempted to compromise around 3,000 accounts across over 900 Microsoft 365 environments.
Proofpoint warns that attackers are refining their strategies to bypass traditional detection methods. They predict adversary-in-the-middle phishing will soon become standard among cybercriminals.
To counter these threats, Microsoft plans to roll out updates by August 2025 that will restrict legacy authentication protocols and require admin consent for third-party apps. Another move to enhance security includes disabling external workbook links to blocked file types by mid-2026.
Separately, Seqrite reported that malware called VIP Keylogger is being delivered through AutoIt injectors. The campaigns often rely on PDFs that mimic invoices or property documents, concealing remote desktop software like FleetDeck RMM to evade security systems.
Other remote monitoring tools observed in the activity include Action1, OptiTune, Bluetrait, Syncro, SuperOps, Atera, and ScreenConnect. Though no additional payloads have been found, these tools suggest potential access for further exploitation.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
