Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
Proofpoint has uncovered a sophisticated phishing campaign utilizing fake Microsoft OAuth applications to bypass multifactor authentication and steal credentials. The threat actors impersonate various enterprise apps like RingCentral, SharePoint, Adobe, and DocuSign to lure victims. The attack chain involves OAuth app creation, redirects to malicious URLs, and the use of attacker-in-the-middle phishing kits, predominantly Tycoon. This technique has been observed in email campaigns with over 50 impersonated applications, targeting multiple industries. The campaign's goal is to gain access to Microsoft 365 accounts, potentially for information gathering, lateral movement, malware installation, or further phishing attacks.
OPENCTI LABELS :
phishing,credential theft,mfa bypass,microsoft 365,aitm,oauth,application impersonation,tycoon
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing