CyberWire Daily - Don’t trust that app!
Episode Date: January 3, 2026While our team is out on winter break, please enjoy this episode of Research Saturday. Today we are joined by Selena Larson, co-host of Only Malware in the Building and Staff ...Threat Researcher and Lead Intelligence Analysis and Strategy at Proofpoint, sharing their work on "Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing." Proofpoint researchers have identified campaigns where threat actors use fake Microsoft OAuth apps to impersonate services like Adobe, DocuSign, and SharePoint, stealing credentials and bypassing MFA via attacker-in-the-middle phishing kits, mainly Tycoon. These attacks redirect users to fake Microsoft login pages to capture credentials, 2FA tokens, and session cookies, targeting nearly 3,000 Microsoft 365 accounts across 900 environments in 2025. Microsoft’s upcoming security changes and strengthened email, cloud, and web defenses, along with user education, are recommended to reduce these risks. The research can be found here: Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Hello, everyone, and welcome to the Cyberwire Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities,
solving some of the hard problems and protecting ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
In this particular campaign, it was pretty interesting because the threat actors will impersonate
various fake Microsoft-O-Oath applications and ultimately lead to credential theft.
That's Selena Larson, staff threat researcher and lead for intelligence analysis.
and strategy at ProofPoint.
The research we're discussing today is titled
Microsoft OOath App Impersonation Campaign
leads to MFA fishing.
So sometimes we see Microsoft OOath
app impersonation trying to gain access
via the malicious app, various permissions and stuff.
But in this case, it was used more as a vehicle
to enable the credential fishing, which was pretty interesting.
Well, let's back up just a step. Can you describe for us what exactly we're talking about when we say MFA fishing?
Of course. So MFA fishing is multi-factor authentication fishing. So typically, historically, people will have a username and password to log into things.
And adding a layer of multifactor authentication could be anything from an SMS to a token that you have to a ubiqui or something like a physical token that you log in or even your fingerprint or your face ID, things like that.
So adding a multi-factor authentication to every login adds a layer of protection to organizations and to keep your information secure.
You should enable MFA everywhere on everything.
But because we as an information security ecosystem have gotten so much better at mandating
multifactor authentication and having that second factor to go along with our username and passwords,
threat actors have had to get pretty creative and come up with tools and resources to be able to bypass that.
So effectively what they're doing is not just stealing your username and password anymore,
but also your authentication token or whatever that additional login would be for getting into your account.
So there are a variety of ways that they do this,
but there are multi-factor authentication fish kits that are out there
that essentially provide threat actors with that easy way of bypassing the MFA
if it's a certain type of MFA and if your account has it.
So how easy is easy when someone gets one of these kits?
I mean, what are we talking about here in terms of forking MFA?
You're right.
I shouldn't say necessarily.
easy. So it really depends on the kit, the level of experience. There's also stuff that goes
into it too, which is actually being able to effectively conduct the fishing, right? So oftentimes
we'll see the threat actor who is using the fish kit might have really terrible and uncompelling
fishing wars. And so no one would actually ever click on them and engage with it and get to the
landing page to enable the authentication. But the kits themselves, essentially what they do is
you can, as a threat actor, basically impersonate the login page of whatever the email is that you're targeting.
And so most of these cases will impersonate Microsoft 365, right?
So it might use your actual logo.
So the landing page will look authentic.
The URL, of course, will be something that's totally inaccurate.
And if you, you know, took a look at the URL, you'd be able to say, wait, hold on.
This isn't necessarily the Microsoft login or my, you know, my sharepoint.
login. It's a weird domain that they're directing me to, but the actual landing page might
look authentic, and so it can convince people that it is a real site. Well, let's walk through
what a typical phishing email might look like. I mean, what did the victims receive and how does
that lead into the Oath flow? Yeah, so in this case, and in general, with fishing, and in particular
tycoon, I feel like very business-relevant content, right? For a lot of
lot of these very, very high volume credential fishing campaigns, they use things that will be
related to your business. So, for example, like an invoice or an HR theme or something like that.
And in the cases that we saw, we saw things impersonating requests for quotes, legitimate
business applications that would be used in the enterprise. We saw documents being shared,
things like that. So these email lores will pretend to be business relevant content and they're reaching
out to the target and it will say, oh, take a look at this, you know, see our quote list or
submit, you know, no quote, or read this document, review and sign this document. And in all cases,
it will be a URL in the email. Sometimes there will be an attachment that contains a URL,
but fundamentally what the threat actor is doing is they want you to click on something.
It's kind of interesting. So once you click on something, you'll get led to this Microsoft
OAuth page. So what this means is...
is it's a fake application that you can basically grant permissions to,
and it'll have, you know, we have permissions requested to be able to access your O365 environment, right?
And so these are, of course, like there are many useful and legitimate enterprise applications
that you would want to grant access and accept to your account.
So that flow might be something that people are used to already or if they've already granted, you know,
productivity apps or are apps that you use in your day-to-day.
And so essentially what it does is it shows this and says,
permission is requested and I'll say cancel or accept.
This is kind of where it gets a little bit interesting because if you click accept,
it will grant access to your account.
But it'll be very basic, view your profile, maintain access to data that you have
given it access to.
So it's not super, you know, there's not a lot that this particular app can do.
But even if you click cancel, so it doesn't matter if you click cancel or accept.
If you do click accept, it does add those permissions.
But even if you click cancel, either way, you'll be redirected to a, basically a landing page that will have those, it will redirect you to this CAPTCHA.
And if the CAPTCHA is solved, it'll go to this Microsoft authentication page.
So you'll be asked to enter your username, your password, verify your identity, and that's where the MFA credential.
comes in. So even if you don't grant access but click cancel, you'll still be redirected to the landing
page to steal your credentials. And that's a fake Microsoft login page, right? Yes, it's totally
fake. It's created by the threat afters. And, you know, like I said earlier, the URL of these pages
will look fake. It'll look illegitimate. So even though the landing page is very compelling,
if you have, you know, if you think about your security training and you're letting your
users know, you know, always make sure to validate the URL in which you're visiting, whether
that's hovering over the link before it's clicked or taking a look in the actual search bar,
the browser bars to see, okay, where am I right now? You could tell, you know, it's something
that's malicious. So your research references of this attacker in the middle technique in the
tycoon fishing kit, how does that go about capturing the MFA tokens and session cookies? Yeah.
So essentially, it's an adversary in the middle fishing kit.
So it's mostly used to target Microsoft 365 as well as Gmail.
So they essentially try to use cookies to circumvent MFA access controls.
But basically what they're doing is there, in many cases like you have with MFA fishing kits,
there will be like a reverse proxy or there will be a way for them to collect in real time,
the username password and the authentication tokens.
And they'll be able to collect a lot of information about the person who is putting it
that information. And so in that case, they're essentially able to bypass those restrictions
or get around the MFA because they can just use your token to log into the account itself.
So essentially, in real time or sometimes close to real time, being able to log in and
access that information.
We'll be right back.
How widespread do you all suppose this campaign is?
So this particular campaign, I wouldn't say it's really tremendously popular.
We do see a lot of Tycoon in general, and oftentimes those can be tens of thousands of emails per campaign.
So Tycoon could get very high volume.
But in this case, we were actually able to take a look at the actual cloud tenant impacts based off of our own visibility.
and we saw more than two dozen malicious applications
that had this very similar characteristics.
So they all shared this consistent pattern
in the reply URLs commonly requested this benign O-O-Oath.
So we saw things like Adobe or DocuSign.
There was some other business-relevant content
like ILS-smarts, sort of aviation company.
So a lot vary from like very popular enterprise applications
to sort of smaller and a little bit more targeted
that you would just kind of use in specific businesses.
But we did see more than two dozen of these malicious applications
throughout 2025 so far.
And so it's really interesting.
You know, we're seeing that they're doing a lot of these different impersonations.
But in terms of the volume, I wouldn't necessarily say it's like,
it's really high volume because that's not a ton of malicious apps.
And Tycoon, in terms of just the fishing kit itself,
is pretty high volume in general.
So is my understanding correct that despite the widespread exposure that you all saw,
there were only a handful of successful account takeovers?
Why do you think the success rate was so low?
Well, I think it really depends in many cases on the social engineering.
So I think that regardless of whether it's an MFA account takeover,
or whether it's malware delivery or whether it's a web inject or even a business email compromise
where you're sending money to a specific individual, I think in many cases, the social engineering
has a lot to do with the effectiveness of the actual campaign. And so I think that oftentimes what we
see are really interesting attack teams, but maybe not the most effective email lures. Whether that's,
you know, they look like they're coming from a really sketchy place
or users are a little bit more inclined to double check
and look at the URL in the search bar
or, you know, before they click on something to validate it.
Of course, in our case, you know, we blocked the activity.
So from the perspective of us seeing it,
that's why it wouldn't necessarily be successful.
But in general, I think that a lot of times, you know,
sometimes an attack can be a very clever chain in particular,
but if the social engineering just isn't there,
it's not going to be a very effective method of infection.
And we've seen a lot of sort of unique social engineering.
In the cases of these apps, some were pretty effective.
I think, you know, the one that actually impersonated a,
impersonated like a legitimate small business with a little bit more request for quote.
I thought that that was like a little bit better than kind of like generic review your documents.
So, you know, I think a lot of it depends on some of the delivery.
But yeah, so it's, yeah, it's kind of interesting to see the evolution of some of the social engineering that we've seen.
While we do oftentimes see a lot of the sort of like business relevant content used in lures and sometimes it can be very effective.
Sometimes I'm just like, do you really think that anyone's going to click on this email?
Right, right, right.
So it really varies.
It's like the lure itself is a test, you know, because if you're, you're, you're, you're, you're, you're, you're, you're.
You, yeah, yeah, it's, well, I mean, I suppose I don't want to, at the risk of being overly optimistic, I guess it's a good thing that it's harder for these folks to get away with things, that from the user point of view, perhaps people are getting a little more savvy.
Yeah, I mean, I think so. So ultimately, too, when it comes down to MFA fishing and why it's so popular right now, that is because it's a direct response to people implementing MFA everywhere.
every time we see an innovation in the attacker ecosystem,
it's typically because we saw innovation from defenders.
And we have seen broader and better security measures in place
that require threat actors to develop innovations
and try any things to get around some of that stuff.
And so part of the reason why MFA is so effective right now
and is so popular right now, MFA fishing,
is because of, well, we have to get around this,
we have to figure out how to target this identity.
And I think that that's part of the overall landscape in general, too.
And I mean, Dave, we've talked about this previously,
where you see a lot of these major botnets,
a lot of this very popular malware.
It's just not sort of disappeared.
And what we've seen as the rise of information stealers,
we've seen the rise of MFA fishing.
We've seen the targeting identity trying to get into cloud tenants,
the sort of pivot away from sort of very high volume botnets
and loader malware delivery to some other things that are a little.
a little bit more targeting individuals and their identity and their access into the enterprise.
And so I think that this is part of it.
I did also, too, want to highlight that Microsoft actually announced back in June that
it's updating its default settings in Microsoft 365 to block legacy authentication protocols
and require admin consent for third-party app access.
So that's when we talk about, you know, Oath gaining, approving application access to your
environment, restricting that a little bit better, what is obviously important and can be.
push back against some of those adversaries
that are using off apps as well.
Yeah. What are your recommendations then?
What should organizations be doing
to best protect themselves here?
Yeah. So, you know, I think,
obviously, you know,
email security, having robust email security,
I think user training is very important here as well.
You know, letting people know
this is what you're going to be seeing.
And I think when it comes to user training
and user education,
basing it on what is actually observed
in the threat land.
is super important, not just like, you know, oh, this is a, this is a free McDonald's or something
like that, right?
Like, I mean, sometimes that's, that is what happens.
But oftentimes, you know, we really want to see that we're tailoring, user training and
information that we're sharing with our organization to what's actually in the, in the ecosystem.
And that's why, you know, threat intelligence is so important to you supporting security training
practices.
But of course, you know, having a cloud security to be able to identify account takeover in the case
of effectiveness.
And certainly, you know, with like when it comes to actually web security,
so potentially like being able to isolate those potentially malicious sessions
and those URL.
So if you do, you know, if you do have a user that does click on that or fall for it,
you know, it's able to be isolated in such a way or, you know,
not being able to sort of bypass some existing security protections
and not being able to actually visit those malicious links is super effective as well.
And then, of course, when it comes to actual MFA bypass,
having phytobase physical security keys.
So something like a UBiki, anything else that is, you know, a physical token,
not just having SMS, MFA, or an application or something like that,
making sure that you are having those physical security keys can definitely add a layer of frustration
and issues for, you know, threat actors that are trying to sort of steal the additional authentication
or session cookies that you can basically by putting in your SMS token or something like that.
Right. Anything you can do so that you're not the low-hanging fruit.
Yes, exactly.
Our thanks to Selena Larson from ProofPoint for joining us.
The research is titled Microsoft Oath App Impersonation Campaign leads to MFA.
We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Ibin.
Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.