Ethical Hacking News
Threat actors are using fake OAuth apps with phishing kits like Tycoon to breach Microsoft 365 accounts by tricking users into granting unauthorized access to their credentials. This new attack vector exploits the trust placed in legitimate applications and services, making it essential for users to remain vigilant and take steps to protect themselves against these types of attacks.
Threat actors are using fake OAuth applications to breach Microsoft 365 accounts. Malicious applications are designed to trick users into granting unauthorized access to their accounts. Users may be tricked into clicking on links that appear legitimate, but are actually phishing attempts. Threat actors harvest credentials, including login credentials and MFA codes, using the fake OAuth application. Microsoft has updated default settings to block legacy authentication protocols and require admin consent for third-party app access. Users must remain vigilant and take steps to protect themselves against these types of attacks, such as monitoring account activity and using two-factor authentication.
Threat actors have been ramping up their efforts to breach Microsoft 365 accounts using a novel technique that leverages fake OAuth applications to facilitate credential harvesting. A recent report from cybersecurity researchers at Proofpoint has shed light on this emerging threat, which involves impersonating enterprises with maliciously crafted OAuth applications designed to trick users into granting unauthorized access to their accounts.
The attacks begin with phishing emails sent from compromised accounts, aiming to deceive recipients into clicking on URLs that appear to be legitimate sharing requests for quotes or business contract agreements. Once the victim clicks on the link, they are redirected to a Microsoft OAuth page for an application named "iLSMART" that asks them to grant it permissions to view their basic profile and maintain continued access to the data that they have been granted access to.
However, unbeknownst to the victims, the "iLSMART" application is actually a fake OAuth app designed by threat actors using phishing kits like Tycoon and ODx. These malicious applications are capable of conducting multi-factor authentication (MFA) phishing, making it increasingly difficult for users to distinguish between legitimate and fraudulent requests.
Once the user grants permissions to the fake "iLSMART" application, the threat actors use this access to harvest the victim's credentials, including their login credentials, email address, and MFA codes. This information can then be used to gain unauthorized access to the user's Microsoft 365 account or other online services that utilize Microsoft 365 as a single sign-on solution.
The use of fake OAuth applications with phishing kits like Tycoon is a particularly insidious tactic because it exploits the trust that users place in legitimate applications and services. By impersonating enterprises and using legitimate-looking OAuth pages, threat actors can trick users into granting them access to their accounts without even realizing they are being targeted.
According to Proofpoint, this attack vector has been used by threat actors in multiple campaigns targeting various industries, including finance, healthcare, and e-commerce. The company also notes that the attackers have been using a range of tactics to evade detection, including spoofing legitimate emails and using anti-detection techniques to disguise their malicious activities.
Microsoft has taken steps to mitigate this attack vector by announcing plans to update default settings to block legacy authentication protocols and require admin consent for third-party app access. This move is expected to make it more difficult for threat actors to use fake OAuth applications to breach Microsoft 365 accounts.
In addition, the company has also disabled external workbook links to blocked file types between October 2025 and July 2026 in an attempt to enhance workbook security. While these measures may provide some protection against this type of attack, they do not address the underlying issue of phishing kits like Tycoon that can be used to conduct MFA phishing.
As a result, it is essential for users to remain vigilant and take steps to protect themselves against these types of attacks. This includes regularly monitoring account activity, using two-factor authentication whenever possible, and being cautious when clicking on links from unknown sources.
The use of fake OAuth applications with phishing kits like Tycoon represents a new wave in the ongoing battle against cyber threats. As threat actors continue to evolve their tactics and exploit vulnerabilities in our systems, it is crucial that we remain proactive in protecting ourselves and our organizations from these emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Wave-of-Malicious-OAuth-Apps-Target-Microsoft-365-Accounts-ehn.shtml
Published: Fri Aug 1 11:46:35 2025 by llama3.2 3B Q4_K_M
