Cybersecurity researchers detail a cluster of new activities in which threat actors are impersonating fake Microsoft OAuth applications as businesses to promote qualification harvests as part of an account acquisition attack.
“Fake Microsoft 365 applications are spoofing a variety of companies, including RingCentral, SharePoint, Adobe, Docusign, and more,” ProofPoint said in a report Thursday.
The ongoing campaign, first detected in early 2025, is designed to use OAuth applications as gateways and uses phishing kits such as Tycoon and ODX that can implement multi-factor authentication (MFA) phishing to gain unauthorized access to users’ Microsoft 365 accounts.
The Enterprise Security Company said the approach used in email campaigns with over 50 spoofing applications has been observed.
The attack starts with a phishing email sent from a compromised account and aims to trick the recipient into clicking on the URL under the pretext of sharing a request for a quote (RFQ) or business contract agreement.
When you click on these links, the victim is directed to the Microsoft OAuth page of an application named “Ilsmart” that asks you to view the basic profile and grant permission to maintain ongoing access to data that is granted.
What is noteworthy about this attack is the buying and selling of ILSMART, a legitimate online marketplace for the aviation, marine and defense industries.
“Application permissions provide limited use for attackers, but are used to set the next stage of an attack,” ProofPoint said.
Whether the target accepts or rejects the requested permissions, you will first be redirected to the CAPTCHA page, and then once the verification is complete, you will be redirected to the Microsoft Account Verification page.
This fake Microsoft page utilizes intermediate (AITM) phishing technology powered by the latest phishing (PHAAS) platform to harvest victim qualifications and MFA codes.
Just like last month, ProofPoint said it had detected another campaign where emails were sent via email marketing platform Twilio Sendgrid, and impersonating Adobe, designed with the same goal in mind.
The campaign represents a drop in buckets compared to overall big-name activity, with multiple clusters leveraging toolkits to run account takeover attacks. In 2025 alone, attempts to compromise accounts have been observed affecting nearly 3,000 user accounts across more than 900 Microsoft 365 environments.
“Threat actors are creating increasingly innovative attack chains in an attempt to bypass detection and gain access to organizations worldwide,” the company said, adding, “We expect threat actors to target user identities and AITM credential phishing to become the crime industry standard.”
As of last month, Microsoft announced plans to improve security to update default settings by blocking legacy authentication protocols and requesting administrator consent for third-party app access. The update is expected to be completed by August 2025.
“This update will have a positive impact on the landscape overall and will hamstring threat actors using this technique,” ProofPoint noted.
This disclosure follows Microsoft’s decision to disable external workbook links by default between October 2025 and July 2026 to enhance the security of workbooks.
The findings are used to deploy some of the .NET malware called VIP keyloggers, which can use spear phishing emails intended as payment receipts, and use car-based injectors to steal sensitive data from compromised hosts, Seqrite said.
In the months, it was discovered that spam campaigns conceal installation links to remote desktop software in PDF files to bypass email and malware protection. The campaign is believed to be primarily targeted at organizations in France, Luxembourg, Belgium and Germany since November 2024.
“These PDFs are often disguised to look like invoices, contracts, or property lists to increase reliability and attract victims and click on built-in links,” Secure said. “The design was intended to create an illusion of obscure, legal content, and encouraged the victim to install the program. In this case, the program was Fleetdeck RMM.”
Other Remote Monitoring and Management (RMM) tools deployed as part of the activity cluster include Action1, Optitune, Bluetrait, Syncro, Superops, Atera, and ScreenConnect.
“While no post-infection payload has been observed, the use of RMM tools strongly suggests its role as an initial access vector and could allow for even more malicious activity,” the Finnish company added. “Ransomware operators in particular support this approach.”
Source link
