Hackers Exploit Fake OAuth Apps and Phishing Kits
Cybersecurity researchers have uncovered a sophisticated cyberattack campaign where threat actors impersonate trusted companies using fake Microsoft OAuth applications to compromise Microsoft 365 accounts.
First identified in early 2025, this ongoing campaign uses phishing kits like Tycoon and ODx to bypass multi-factor authentication (MFA) and harvest user credentials, enabling account takeovers at scale.
How the Attack Works
The attack chain begins with phishing emails, often sent from compromised email accounts, that claim to share:
- Requests for Quotes (RFQs)
- Contract agreements
- Invoices or payment details
These emails contain links that redirect victims to fake Microsoft OAuth app authorization pages, where a malicious app—often disguised as “iLSMART”—requests access to the user’s basic profile and other Microsoft 365 data.
⚠️ Important: ILSMart is a legitimate online marketplace used in aviation and defense sectors, making the spoof highly credible.
Identity Spoofing Meets Adversary-in-the-Middle (AitM) Phishing
Even if a user denies the app’s permission request, they are redirected to a CAPTCHA verification page, followed by a spoofed Microsoft login screen.
This fake login page is powered by Tycoon, a Phishing-as-a-Service (PhaaS) platform that:
- Intercepts login credentials
- Captures MFA tokens using AitM tactics
- Enables real-time session hijacking
Widespread and Ongoing Campaigns
According to current research report, the attackers have impersonated over 50 enterprise applications, including:
- 🔹 Microsoft SharePoint
- 🔹 Adobe
- 🔹 Docusign
- 🔹 RingCentral
In 2025 alone, Tycoon-based phishing operations have attempted to compromise nearly 3,000 user accounts across more than 900 Microsoft 365 environments.
Other Recent Phishing Variants
The Tycoon toolkit has also been used in campaigns that:
- Spoof Adobe-branded emails using Twilio SendGrid
- Deliver fake “unsubscribe” or “document” flows that redirect users to phishing sites
- Abuse AutoIt-based malware like VIP Keylogger to harvest sensitive data
- Hide remote desktop software links (e.g., FleetDeck RMM) inside PDFs disguised as invoices, contracts, or real estate listings
Countries Targeted:
- France
- Belgium
- Luxembourg
- Germany
RMM Tools Used as Initial Access Vectors
In addition to fake OAuth apps, attackers have leveraged legitimate Remote Monitoring and Management (RMM) tools such as:
- Action1
- OptiTune
- SuperOps
- ScreenConnect
- Syncro
- Atera
- Bluetrait
While no post-infection payloads have been confirmed, these tools are commonly used by ransomware gangs to gain persistent access and stage further attacks.
Microsoft’s Security Response
In response to the increasing abuse of OAuth and third-party app access, Microsoft is rolling out new security policies by August 2025, including:
- Blocking legacy authentication protocols
- Requiring admin consent for third-party OAuth apps
Additionally, Microsoft is planning to block external links to unsafe file types in Excel workbooks by default between October 2025 and July 2026.
Takeaways & Recommendations
- Review OAuth app permissions across your Microsoft 365 environment
- Enable MFA with phishing-resistant methods (like FIDO2 keys or Authenticator app)
- Train users to recognize CAPTCHA + login combo scams
- Monitor for unusual consent requests or admin grants
- Restrict third-party app access by default unless explicitly approved
This campaign represents a major evolution in identity-based attacks, combining social engineering, OAuth abuse, and adversary-in-the-middle phishing to gain access to corporate environments.
As threat actors shift toward identity-driven compromise, security teams must adopt a zero-trust mindset, strengthen email defenses, and closely monitor third-party app integrations.
Sleep well, we got you covered.
