CyberWire Daily - Don’t trust that app! [Research Saturday]
Episode Date: September 6, 2025Today we are joined by Selena Larson, co-host of Only Malware in the Building and Staff Threat Researcher and Lead Intelligence Analysis and Strategy at Proofpoint, sharing their work on "Microsoft OA...uth App Impersonation Campaign Leads to MFA Phishing." Proofpoint researchers have identified campaigns where threat actors use fake Microsoft OAuth apps to impersonate services like Adobe, DocuSign, and SharePoint, stealing credentials and bypassing MFA via attacker-in-the-middle phishing kits, mainly Tycoon. These attacks redirect users to fake Microsoft login pages to capture credentials, 2FA tokens, and session cookies, targeting nearly 3,000 Microsoft 365 accounts across 900 environments in 2025. Microsoft’s upcoming security changes and strengthened email, cloud, and web defenses, along with user education, are recommended to reduce these risks. The research can be found here: Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
The DMV has established itself as a top-tier player in the global cyber industry.
DMV rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington.
D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping
our field and experience firsthand why the Washington, D.C. region is the beating heart of cyber
innovation. Visit DMVRising.com to secure your spot.
When you're with Annex Plathom, you get access to exclusive dining experiences.
and an annual travel credit.
So the best tapas in town
might be in a new town altogether.
That's the powerful backing of Amex.
Terms and conditions apply.
Learn more at amex.ca.
slash y-Amex.
Welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
In this particular campaign, it was pretty interesting because the threat actors will impersonate
various fake Microsoft OAuth applications and ultimately lead to credential theft.
That's Selena Larson, staff threat researcher and lead for intelligence analysis and strategy
at Proof Point. The research we're discussing today is titled Microsoft OOath App impersonation
campaign leads to MFA fishing.
So sometimes we see
Microsoft Oath app impersonation, trying to gain access via the malicious app, various permissions
and stuff. But in this case, it was used more as a vehicle to enable the credential fishing,
which was pretty interesting. Well, let's back up just a step. Can you describe for us what exactly
we're talking about when we say MFA fishing? Of course. So MFA fishing is multifactor authentication fishing.
So typically, historically, people will have a username and password to log into things.
And adding a layer of multi-factor authentication could be anything from an SMS to a token that you have to a ubiqui or something like a physical token that you log in or even your fingerprint or your face ID, things like that.
So adding a multi-factor authentication to every login adds a layer of protection to organizations and to keep your information secure.
You should enable MFA everywhere on everything.
But because we as an information security ecosystem have gotten so much better at mandating
multi-factor authentication and having that second factor to go along with our username and
passwords, threat actors have had to get pretty creative and come up with tools and resources
to be able to bypass that.
So effectively what they're doing is not just stealing your username and password anymore,
but also your authentication token or whatever that additional login would be for getting
into your account.
So there are a variety of ways that they do.
this, but there are multi-factor authentication fish kits that are out there that essentially provide
threat actors with that easy way of bypassing the MFA if it's a certain type of MFA and if
your account has it.
So how easy is easy?
When someone gets one of these kits, I mean, what are we talking about here in terms of
forking MFA?
You're right.
I shouldn't say necessarily easy.
So it really depends on the kit, the level of experience.
There's also stuff that goes into it too,
which is actually being able to effectively conduct the fishing, right?
So oftentimes we'll see the threat actor who is using the fish kit
might have really terrible and uncompelling fishing wars.
And so no one would actually ever click on them
and engage with it and get to the landing page
to enable the authentication.
But the kits themselves, essentially what they do is you can,
as a threat actor, basically impersonate a lot.
login page of whatever the email is that you're targeting. And so most of these cases will
impersonate Microsoft 365, right? So it might use your actual logo. So the landing page will
look authentic. The URL, of course, will be something that's totally inaccurate. And if you,
you know, took a look at the URL, you'd be able to say, wait, hold on, this isn't necessarily
the Microsoft login or my, you know, my SharePoint login. It's a weird domain that they're
directing me to, but the actual landing page might look authentic, and so it can convince people
that it is a real site.
Well, let's walk through what a typical fishing email might look like.
I mean, what did the victims receive, and how does that lead into the Oath flow?
Yeah, so in this case, and in general, with fishing, and in particular tycoon, I feel like
very business-relevant content, right, for a lot of these very, very high volume credential
fishing campaigns. They use things that will be related to your business. So, for example,
like an invoice or HR theme or something like that. And in the cases that we saw, we saw things
impersonating requests for quotes, legitimate business applications that would be used in the
enterprise. We saw documents being shared, things like that. So these email lores will pretend to be
business relevant content and they're reaching out to the target and it will say, oh, take a
look at this, you know, see our quote list or submit, you know, no quote, or read this document,
review and sign this document. And in all cases, it will be a URL in the email. Sometimes
there will be an attachment that contains a URL, but fundamentally what the threat actor is doing
is they want you to click on something. It's kind of interesting. So once you click on something,
you'll get led to this Microsoft OAuth page. So what this means is it's a fake application
that you can basically grant permissions to
and it'll have, you know,
we have permissions requested to be able to access
your O365 environment, right?
And so these are, of course,
there are many useful and legitimate enterprise applications
that you would want to grant access
and accept to your account.
So that flow might be something that people are used to already
or if they've already granted, you know,
productivity apps or apps that you use in your day-to-day.
And so essentially what it does is it shows this and says permission is requested and I'll say cancel or accept.
This is kind of where it gets a little bit interesting because if you click accept, it will grant access to your account.
But it'll be very basic, view your profile, maintain access to data that you have given it access to.
So it's not super, you know, there's not a lot that this particular app can do.
But even if you click cancel, so it doesn't matter if you click cancel.
accept. If you do click accept, it does add those permissions. But even if you click cancel,
either way, you'll be redirected to a, basically a landing page that will have those, it will redirect
you to this like CAPTCHA. And if the CAPTCHA is solved, it'll go to this Microsoft
authentication page. So you'll be asked to enter your username, your password, verify your identity,
and that's where the MFA credential capture comes in. So even if you don't grant access, but click
cancel, you'll still be redirected to the landing page to steal your credentials.
And that's a fake Microsoft login page, right?
Yes, it's totally fake.
It's created by the threat afters.
And, you know, like I said earlier, the URL of these pages will look fake.
It'll look illegitimate.
So even though the landing page is very compelling, if you have, you know, if you think
about your security training and you're letting your users know, always make sure to validate
the URL in which you're visiting, whether that's hovering over the link before it's clicked,
or taking a look in the actual search bar,
the browser bar is to see,
okay, where am I right now?
You could tell, you know,
it's something that's malicious.
So your research references
of this attacker in the middle technique
in the tycoon fishing kit,
how does that go about capturing the MFA tokens
and session cookies?
Yeah, so essentially it's an adversary
in the middle fishing kit.
So it's mostly used to target Microsoft 365,
as well as Gmail.
So they essentially try to use cookies
to circumvent MFA access controls.
But basically what they're doing is
in many cases like you have with MFA fishing kids,
there will be like a reverse proxy
or there will be a way for them to collect in real time
the username password and the authentication tokens
and they'll be able to collect a lot of information
about the person who is putting in that information.
And so in that case,
they're essentially able to bypass those,
restrictions or get around the MFA
because they can just use your token to log into
the account itself.
So essentially, in real
time or sometimes close to
real time, being able
to log in and access that information.
We'll be right back.
At TALIS, they know
cybersecurity can be tough and you can't
protect everything. But with TALIS, you can secure what matters most. With TALIS's industry
leading platforms, you can protect critical applications, data and identities, anywhere and at scale
with the highest ROI. That's why the most trusted brands and largest banks, retailers, and
health care companies in the world rely on TALIS to protect what matters most. Applications,
data, and identity. That's TALIS. T-H-A-L-E-S.
Learn more at talusgroup.com slash cyber.
And now a word from our sponsor, Threat Locker,
the powerful zero-trust enterprise solution
that stops ransomware in its tracks.
Allow listing is a deny-by-default software
that makes application control simple and fast.
Ring fencing is an application containment,
strategy. Ensuring apps can only access the files, registry keys, network resources,
and other applications they truly need to function. Shut out cybercriminals with world-class
endpoint protection from threat locker.
How widespread do you all suppose this campaign is?
So this particular campaign, I wouldn't say it's really tremendous.
popular. We do see a lot of Tycoon in general, and oftentimes those can be tens of thousands of
emails per campaign. So Tycoon does, could get very high volume. But in this case, we were actually
able to take a look at the actual cloud tenant impacts based off of our own visibility. And we saw more
than two dozen malicious applications that had this very similar characteristics. So they all shared
this consistent pattern. And the reply URLs commonly requested this benign o-off.
So we saw things like Adobe or DocuSign.
There was some other business relevant content like ILS smarts, sort of aviation company.
So a lot vary from like very popular enterprise applications to sort of smaller and a little bit more targeted that you would just kind of use in specific businesses.
But we did see more than two dozen of these malicious applications throughout 2025 so far.
And so it's really interesting.
You know, we're seeing that they're doing a lot of these different impersonations.
But in terms of the volume, I wouldn't necessarily say it's like it's really high volume because that's not a ton of malicious apps.
And tycoon in terms of just the fishing kit itself is pretty high volume in general.
So is my understanding correct that despite the widespread exposure that you all,
saw. There were only a handful of successful account takeovers. Why do you think the success rate
was so low? Well, I think it really depends in many cases on the social engineering.
So I think that regardless of whether it's an MFA account takeover or whether it's malware delivery
or whether it's a web inject or even a business email compromise where you're sending money
to a specific individual, I think in many cases the social engineering has a lot to do.
with the effectiveness of the actual campaign.
And so I think that oftentimes what we see are really interesting attack teams,
but maybe not the most effective email lures,
whether that's, you know, they look like they're coming from a really sketchy place
or users are a little bit more inclined to double check and look at the URL in the search bar
or, you know, before they click on something to validate it.
Of course, in our case, you know, we blocked the activity.
so from the perspective of us seeing it.
That's why it wouldn't necessarily be successful.
But in general, I think that a lot of times,
you know, sometimes an attack can be a very clever chain in particular,
but if the social engineering just isn't there,
it's not going to be a very effective method of infection.
And we've seen a lot of sort of unique social engineering.
In the cases of these apps, some were pretty,
effective. I think, you know, the one that actually impersonated a, impersonated like a legitimate
small business with a little bit more request for quote. I thought that was like a little bit
better than kind of like generic review your documents. So, you know, I think it, a lot of it
depends on some of the delivery. But yeah, so it's, yeah, it's kind of interesting to see the
evolution of some of the social engineering that we've seen. While we do oftentimes see a lot of the sort of
business relevant content used in lures, and sometimes it can be very effective.
Sometimes I'm just like, do you really think that anyone's going to click on this email?
Right, right, right.
It's like the lure itself is a test, you know?
Right.
Yeah, yeah, it's, well, I mean, I suppose I don't want to, at the risk of being overly optimistic,
I guess it's a good thing that it's harder for these folks to get away with things,
that from the user point of view, perhaps.
people are getting a little more savvy.
Yeah, I mean, I think so.
So ultimately, too, when it comes down to MFA fishing and why it's so popular right now,
that is because it's a direct response to people implementing MFA everywhere.
Every time we see an innovation in the attacker ecosystem,
it's typically because we saw innovation from defenders.
And we have seen broader and better security measures in place that require threat actors
to develop innovations and try new things to get around some of that stuff.
So part of the reason why MFA is so effective right now and is so popular right now, MFA fishing, is because of, well, we have to get around this.
We have to figure out how to target this identity.
And I think that that's part of the overall landscape in general, too.
And I mean, Dave, we've talked about this previously where you see a lot of these major bot nets, a lot of this very popular malware.
It's just sort of disappeared.
And what we've seen as the rise of information stealers, we've seen the rise of MFA fishing.
We've seen the targeting identity trying to get into cloud tenants,
the sort of pivot away from sort of very high volume botnets and loader malware delivery to some other things that are a little bit more targeting individuals and their identity and their access into the enterprise.
And so I think that this is part of it.
I did also, too, want to highlight that Microsoft actually announced back in June that it's updating its default settings in Microsoft 365 to block legacy authentication protocols and require admin,
consent for third-party app access.
So that's when we talk about, you know, O-Oath gaining,
approving application access to your environment,
restricting that a little bit better,
what is obviously important and can be, you know,
push back against some of those adversaries
that are using Oath apps as well.
Yeah.
What are your recommendations then?
What should organizations be doing to best protect themselves here?
Yeah.
So, you know, I think, obviously, you know,
emails and having robust emails,
I think user training is very important here as well, you know, letting people know this is
what you're going to be seeing. And I think when it comes to user training and user education,
basing it on what is actually observed in the threat landscape is super important, not just like,
you know, oh, this is a, this is a free McDonald's or something like that, right? Like, I mean,
sometimes that's, that is what happens. But oftentimes, you know, we really want to,
to see that we're tailoring, user training and information that we're sharing with our
organization to what's actually in the ecosystem. And that's why, you know, threat intelligence is
so important to supporting security training practices. But of course, you know, having a cloud
security to be able to identify account takeover in the case of effectiveness. I'm certainly, you know,
with like when it comes to actually web security. So potentially like being able to isolate those
potentially malicious sessions and those URL. So if you do, you know, if you do have a user that does
click on that or fall for it, you know, it's able to be isolated in such a way or, or, or, or,
or not being able to sort of bypass some existing security protections
and not being able to actually visit those malicious links
is super effective as well.
And then, of course, when it comes to actual MFA bypass,
having FIDO-based physical security keys.
So something like a UBK, anything else that is a physical token,
not just having SMS, MFA, or an application or something like that,
making sure that you are having those physical security keys
can definitely add a layer of frustration and issues for, you know,
threat actors that are trying to sort of steal the additional authentication or session
cookies that you can basically by putting in your SMS token or something like that.
Right. Anything you can do so that you're not the low-hanging fruit.
Yes, exactly.
Our thanks to Selena Larson from ProofPoint for joining us.
The research is titled Microsoft Oath App impersonation campaign leads to MFA fishing.
We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast.
app. Please also fill out the survey in the show notes or send an email to Cyberwire at
n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and
Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpie is our publisher,
and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.
I don't know.
Thank you.