My phishing campaign employs counterfeit Microsoft applications to circumvent multi-factor authentication for improved SEO.

Proofpoint has identified a sophisticated phishing campaign that employs counterfeit Microsoft OAuth applications to bypass Multi-Factor Authentication (MFA) and illicitly access Microsoft 365 accounts. This campaign involves threat actors creating deceptive Microsoft OAuth applications that impersonate well-known brands such as Adobe, DocuSign, and SharePoint. These malicious applications are utilised in Attacker-in-the-Middle (AiTM) phishing attacks, primarily leveraging the Tycoon phishing kit to harvest user credentials and intercept MFA tokens. Researchers at Proofpoint have observed over 50 distinct impersonated applications and nearly 3,000 attempted compromises of Microsoft 365 accounts across more than 900 environments. The confirmed success rate for these attacks has exceeded 50% in 2025, highlighting the effectiveness of these tactics.

The attack method typically begins with phishing emails sent from compromised accounts, containing links to fraudulent OAuth consent pages. Users are encouraged to grant what appear to be routine permissions for familiar applications. Regardless of whether permissions are accepted or declined, users are redirected to a counterfeit Microsoft login page, often featuring the target organisation’s Entra ID branding. This fake login page is designed to harvest credentials and intercept MFA tokens using AiTM techniques, thereby granting attackers full access to Microsoft 365 accounts. The attacks are often highly tailored, with some campaigns specifically targeting industries such as aerospace and defence, using industry-specific language and impersonating services like ILSMart. 

Categories: Phishing Campaigns, OAuth Impersonation, Multi-Factor Authentication Bypass 

Tags: Phishing, Microsoft, OAuth, MFA, AiTM, Tycoon, Credentials, Impersonation, Attackers, Industries