Phishing Campaign
Cybersecurity researchers have detailed a new cluster of activity where threat actors impersonate enterprises using fake Microsoft OAuth applications to facilitate credential harvesting as part of account takeover attacks.
“The fake Microsoft 365 applications impersonate various companies, including RingCentral, SharePoint, Adobe, and Docusign,” Proofpoint stated in a Thursday report.
The ongoing campaign, which first emerged in early 2025, aims to use the OAuth applications as a gateway to obtain unauthorized access to users‘ Microsoft 365 accounts through phishing kits like Tycoon and ODx, which can conduct multi-factor authentication (MFA) phishing.
The enterprise security company observed this approach in email campaigns featuring more than 50 impersonated applications.
The attacks begin with phishing emails sent from compromised accounts, and they aim to trick recipients into clicking on URLs under the pretext of sharing requests for quotes (RFQ) or business contract agreements.
When victims click on these links, they are directed to a Microsoft OAuth page for an application named “iLSMART,” which asks them to grant permissions to view their basic profile and maintain continued access to the data they have been granted access to.
What makes this attack notable is the impersonation of ILSMart, a legitimate online marketplace for aviation, marine, and defense industries to buy and sell parts and repair services.
“The applications’ permissions would provide limited use to an attacker, but they serve to set up the next stage of the attack,” Proofpoint explained.
Regardless of whether the target accepts or denies the requested permissions, they first redirect to a CAPTCHA page and then to a phony Microsoft account authentication page once the verification completes.
This fake Microsoft page employs adversary-in-the-middle (AitM) phishing techniques powered by the Tycoon Phishing-as-a-Service (PhaaS) platform to harvest the victim’s credentials and MFA codes.
Adobe too
As recently as last month, Proofpoint detected another campaign impersonating Adobe, where the emails are sent via Twilio SendGrid, an email marketing platform, and are engineered with the same goal: to gain user authorization or trigger a cancellation flow that redirects the victim to a phishing page.
This campaign represents just a drop in the bucket compared to overall Tycoon-related activity, with multiple clusters leveraging the toolkit to perform account takeover attacks. In 2025 alone, attackers attempted to compromise nearly 3,000 user accounts across more than 900 Microsoft 365 environments.
“Threat actors create increasingly innovative attack chains in an attempt to bypass detections and obtain access to organizations globally,” the company noted, adding that it “anticipates threat actors will increasingly target users’ identity, with AiTM credential phishing becoming the criminal industry standard.”
Microsoft Solution
As of last month, Microsoft announced plans to update default settings to improve security by blocking legacy authentication protocols and requiring admin consent for third-party app access. The updates should complete by August 2025.
“This update will positively impact the landscape overall and will hamstring threat actors that use this technique,” Proofpoint pointed out.
This disclosure follows Microsoft’s decision to disable external workbook links to blocked file types by default between October 2025 and July 2026 in an attempt to enhance workbook security.
The findings also come as spear-phishing emails bearing purported payment receipts deploy a piece of .NET malware called VIP Keylogger, which can steal sensitive data from compromised hosts, Seqrite reported.
Over several months, spam campaigns have concealed installation links to remote desktop software inside PDF files to bypass email and malware defenses. This campaign has likely been ongoing since November 2024, primarily targeting entities in France, Luxembourg, Belgium, and Germany.
“These PDFs often disguise themselves as invoices, contracts, or property listings to enhance credibility and lure victims into clicking the embedded link,” WithSecure explained. “This design creates the illusion of legitimate content that has been obscured, prompting the victim to install a program. In this case, the program was FleetDeck RMM.”
Other Remote Monitoring and Management (RMM) tools deployed as part of the activity cluster include Action1, OptiTune, Bluetrait, Syncro, SuperOps, Atera, and ScreenConnect.
“Although no post-infection payloads have been observed, the use of RMM tools strongly suggests their role as an initial access vector, potentially enabling further malicious activity,” the Finnish company added. “Ransomware operators, in particular, have favored this approach.”
Source: TheHackerNews
Read more at Impreza News
