Sophisticated cyber adversaries have shifted tactics in recent months, exploiting fake Microsoft OAuth applications in tandem with advanced phishing toolkits such as Tycoon and ODx to compromise Microsoft 365 accounts worldwide. These attacks, tracked by researchers and security vendors including Proofpoint, reflect an evolving threat landscape where adversaries increasingly target users’ digital identities and seek to bypass even robust security protocols like multi-factor authentication (MFA).
At the core of the latest wave of account takeover attempts is the abuse of Microsoft’s OAuth framework. OAuth is designed to facilitate secure third-party application access to user accounts without exposing passwords. Instead, it relies on user-granted permissions, managed through consent screens that many enterprise users have come to trust. This inherent trust is what attackers have weaponized.
Adversaries begin their campaign by crafting phishing emails designed to replicate legitimate business correspondence—often masquerading as requests for quotes (RFQs) or contract negotiations. These emails are delivered through compromised accounts, a tactic that likely aids both in bypassing antispam filters and establishing credibility with the target. Embedded URLs point victims toward Microsoft OAuth consent screens for apparently legitimate applications, complete with familiar branding. For instance, application names such as “iLSMART,” which mimic a legitimate marketplace for aviation and defense industries, or brands like RingCentral, SharePoint, Adobe, and DocuSign are used to lull victims into a false sense of security.
Analysts from Proofpoint observed over 50 such fake applications in active phishing campaigns since early 2025. These applications typically seek permissions to “view basic profile” or “maintain access to data you have given it access to”—requests which, on the surface, appear innocuous but enable powerful downstream attacks.
A notable twist with these campaigns is the multi-stage phishing process. Whether victims accept or deny the OAuth permissions, they're redirected to a CAPTCHA interstitial page followed by a fraudulent Microsoft 365 login page. This page isn’t just a convincing replica: it's powered by Adversary-in-the-Middle (AiTM) phishing capabilities provided by the Tycoon Phishing-as-a-Service (PhaaS) platform. The technique allows attackers to capture both login credentials and one-time MFA tokens, enabling full account takeover even in organizations that mandate two-factor authentication.
This kit has witnessed adoption in multiple unrelated attack clusters and is not limited solely to Microsoft 365 phishing. Variants have been observed targeting other cloud platforms and business collaboration suites, leveraging similar consent phishing and AiTM strategies. Proofpoint, in its 2025 report, highlighted nearly 3,000 attempted account takeovers spanning over 900 unique Microsoft 365 environments within a matter of months—a figure cross-referenced by incident response teams across the sector. While Tycoon-related activities are only a slice of the global phishing ecosystem, their effectiveness and evolution signal broader systemic risks.
For example, Proofpoint recently observed a campaign impersonating Adobe, where phishing emails were distributed from SendGrid domains and engineered with authorization prompts or cancellation flows intended to trick users into granting OAuth access, or else directing them to phishing credential capture pages.
Such attacks highlight a key strength of threat actors: their adaptive use of enterprise infrastructure to increase the believability and authenticity of unsolicited messages. This pivot represents a significant challenge for defenders, as legitimate and malicious emails can be virtually indistinguishable to even the most discerning users.
The threat here is insidious: no malware payload is delivered in the traditional sense, making detection by endpoint security difficult. Once installed, the RMM tools provide full remote control over the victim’s machine. Notably, ransomware operators have embraced this method for its stealth and effectiveness. The apparent benign nature of these utilities allows attackers to maintain access, evade perimeter defenses, and prepare for subsequent malicious activities, including lateral movement and data exfiltration.
Credential phishing lures, now frequently embedded in sophisticated workflows, range from contract negotiations to fake payment receipts. These are further obfuscated by CAPTCHAs and CAPTCHA-like challenges intended to bypass automated security analysis and sandboxes.
Moreover, multi-stage redirection flows ensure the victim’s browser is guided through a series of convincing steps, each engineered to reinforce the authenticity of the overall experience. Finally, AiTM proxies capture the inputted credentials and tokens as the victim unwittingly authenticates “through” the attacker. This approach not only enables initial account access but can also pave the way for business email compromise, fraud, and long-term lateral movement within target organizations.
Complementing this initiative, Microsoft has also moved to disable external workbook links to blocked file types in Excel and other Office applications—rolling updates commencing October 2025 through July 2026—further reducing the exploitation surface for document-based attacks.
Security analyst reviews broadly support these policy changes but recommend that organizations not rely solely on platform defaults. Additional defense-in-depth steps—such as the implementation of conditional access policies, regular audit of OAuth consents, and robust employee awareness training—are essential, given adversaries’ demonstrated agility in shifting tactics.
Analyses from WithSecure and Seqrite emphasize the prevalence of this method, particularly in France, Luxembourg, Belgium, and Germany since late 2024. Attackers embed installation links within PDFs, boosting the credibility of lures while bypassing email security scanners and content filters. Once executed on the user endpoint, these RMM tools provide a backdoor for remote control, data collection, or further malicious operations, sometimes going unnoticed for extended periods.
While such attacks may not always deploy secondary payloads immediately, their utility as access vectors for ransomware and data theft remains high. Accordingly, organizations must tune their monitoring and response capabilities to detect the unusual use of RMM or remote-access tools, particularly if installation is not part of routine IT operations.
In various campaigns, links concealed within PDF documents enable attackers to frequently bypass URL scanning engines. When users click through, they may be prompted to install RMM tools, grant OAuth consents, or input credentials into adversary-controlled web forms. The use of CAPTCHAs and real-time proxying via AiTM platforms further obscures malicious intent, making traditional pattern-matching detection methods increasingly ineffective.
This pattern of continuous adaptation demonstrates attackers’ commitment to process innovation and highlights the need for organizations to adopt a multilayered security strategy: technical controls, user education, and vigilant monitoring.
Security researchers caution that while the campaigns leveraging Tycoon, ODx, and commercial RMM tools represent only a fraction of global threat activity, their polish and efficacy place them at the forefront of account takeover risk. The growing adoption of AiTM credential phishing as a service, in particular, suggests that such techniques could become the industry standard for criminal enterprises, further enlarging the target pool and complicating incident response.
Ongoing security improvements by Microsoft—including enhanced consent frameworks and stronger default configurations—are promising developments, but their success relies on timely implementation and complementary investments by customers. While platform-level improvements can reduce the exploitability of specific vectors, attackers will continue to probe for overlooked configurations and user behaviors.
Organizations, therefore, face a crucial imperative: to view cloud account security not as a static checkbox, but as an ongoing process of education, vigilance, and adaptation. As the criminal underworld embraces AiTM phishing-as-a-service and weaponizes legitimate tools, security teams must match this dynamism with defense-in-depth, robust monitoring, and a culture of skepticism.
The narrative of these recent attacks underscores a simple, critical truth: in the cloud-first enterprise, identity is the new perimeter. Its defense will shape the security landscape for years to come.
Source: The Hacker News Attackers Use Fake OAuth Apps with Tycoon Kit to Breach Microsoft 365 Accounts
The Anatomy of the Attack: OAuth Abuse and Enterprise Impersonation
At the core of the latest wave of account takeover attempts is the abuse of Microsoft’s OAuth framework. OAuth is designed to facilitate secure third-party application access to user accounts without exposing passwords. Instead, it relies on user-granted permissions, managed through consent screens that many enterprise users have come to trust. This inherent trust is what attackers have weaponized.Adversaries begin their campaign by crafting phishing emails designed to replicate legitimate business correspondence—often masquerading as requests for quotes (RFQs) or contract negotiations. These emails are delivered through compromised accounts, a tactic that likely aids both in bypassing antispam filters and establishing credibility with the target. Embedded URLs point victims toward Microsoft OAuth consent screens for apparently legitimate applications, complete with familiar branding. For instance, application names such as “iLSMART,” which mimic a legitimate marketplace for aviation and defense industries, or brands like RingCentral, SharePoint, Adobe, and DocuSign are used to lull victims into a false sense of security.
Analysts from Proofpoint observed over 50 such fake applications in active phishing campaigns since early 2025. These applications typically seek permissions to “view basic profile” or “maintain access to data you have given it access to”—requests which, on the surface, appear innocuous but enable powerful downstream attacks.
A notable twist with these campaigns is the multi-stage phishing process. Whether victims accept or deny the OAuth permissions, they're redirected to a CAPTCHA interstitial page followed by a fraudulent Microsoft 365 login page. This page isn’t just a convincing replica: it's powered by Adversary-in-the-Middle (AiTM) phishing capabilities provided by the Tycoon Phishing-as-a-Service (PhaaS) platform. The technique allows attackers to capture both login credentials and one-time MFA tokens, enabling full account takeover even in organizations that mandate two-factor authentication.
Tycoon Phishing-as-a-Service and the Rise of MFA Bypassing Kits
The Tycoon phishing kit exemplifies a broader trend: cybercrime commoditization. Phishing-as-a-Service operations drastically lower the technical barrier to entry, enabling even less skilled threat actors to conduct high-impact attacks with minimal customization. Tycoon, in particular, is equipped with robust AiTM mechanisms designed to intercept not only user credentials but also real-time tokens, which are critical for bypassing MFA protections.This kit has witnessed adoption in multiple unrelated attack clusters and is not limited solely to Microsoft 365 phishing. Variants have been observed targeting other cloud platforms and business collaboration suites, leveraging similar consent phishing and AiTM strategies. Proofpoint, in its 2025 report, highlighted nearly 3,000 attempted account takeovers spanning over 900 unique Microsoft 365 environments within a matter of months—a figure cross-referenced by incident response teams across the sector. While Tycoon-related activities are only a slice of the global phishing ecosystem, their effectiveness and evolution signal broader systemic risks.
Email Delivery Tactics: Exploiting Trusted Infrastructure
Adversaries are increasingly leveraging reputable email delivery and marketing services—such as Twilio SendGrid—to distribute their phishing lures. This method makes emails appear legitimate and helps attackers sidestep domain-based anti-phishing controls.For example, Proofpoint recently observed a campaign impersonating Adobe, where phishing emails were distributed from SendGrid domains and engineered with authorization prompts or cancellation flows intended to trick users into granting OAuth access, or else directing them to phishing credential capture pages.
Such attacks highlight a key strength of threat actors: their adaptive use of enterprise infrastructure to increase the believability and authenticity of unsolicited messages. This pivot represents a significant challenge for defenders, as legitimate and malicious emails can be virtually indistinguishable to even the most discerning users.
Remote Monitoring and Management Tools as First-Stage Implants
In parallel with OAuth abuse, attack clusters are deploying commercial Remote Monitoring and Management (RMM) tools to establish initial persistent access. Campaigns monitored by Finnish cybersecurity firm WithSecure have detailed the use of PDF attachments masquerading as invoices, contracts, or property listings. These attachments contain links to download RMM tools such as FleetDeck RMM, Action1, OptiTune, Bluetrait, Syncro, SuperOps, Atera, and ScreenConnect—all legitimate tools often used by IT departments for remote support.The threat here is insidious: no malware payload is delivered in the traditional sense, making detection by endpoint security difficult. Once installed, the RMM tools provide full remote control over the victim’s machine. Notably, ransomware operators have embraced this method for its stealth and effectiveness. The apparent benign nature of these utilities allows attackers to maintain access, evade perimeter defenses, and prepare for subsequent malicious activities, including lateral movement and data exfiltration.
Evolution of Credential Phishing and MFA-Phishing-as-a-Service
The operation of AiTM phishing platforms like Tycoon coincides with a marked shift in phishing methodology. Instead of simply harvesting credentials, attackers now routinely collect MFA tokens in real-time, circumventing one of the most widely recommended defenses against account compromise.Credential phishing lures, now frequently embedded in sophisticated workflows, range from contract negotiations to fake payment receipts. These are further obfuscated by CAPTCHAs and CAPTCHA-like challenges intended to bypass automated security analysis and sandboxes.
Moreover, multi-stage redirection flows ensure the victim’s browser is guided through a series of convincing steps, each engineered to reinforce the authenticity of the overall experience. Finally, AiTM proxies capture the inputted credentials and tokens as the victim unwittingly authenticates “through” the attacker. This approach not only enables initial account access but can also pave the way for business email compromise, fraud, and long-term lateral movement within target organizations.
Defensive Shifts and Microsoft’s Response
Microsoft, acutely aware of the growing abuse of OAuth and legacy authentication protocols, has announced several policy changes aimed at raising the security baseline for its cloud ecosystem. Notably, by August 2025, default tenant behaviors will be updated to block legacy authentication methods and mandate administrator consent for most third-party application requests. Independent verification of this policy shift underscores its significance: by closing loopholes in OAuth consent flows and eliminating risky legacy protocols, Microsoft seeks to hamstring a broad class of account takeover vectors.Complementing this initiative, Microsoft has also moved to disable external workbook links to blocked file types in Excel and other Office applications—rolling updates commencing October 2025 through July 2026—further reducing the exploitation surface for document-based attacks.
Security analyst reviews broadly support these policy changes but recommend that organizations not rely solely on platform defaults. Additional defense-in-depth steps—such as the implementation of conditional access policies, regular audit of OAuth consents, and robust employee awareness training—are essential, given adversaries’ demonstrated agility in shifting tactics.
The Persistent Risk of Legitimate Tool Abuse
The cybercriminal use of RMM tools tackles another persistent blind spot: the trust placed in commercially available software. Since such tools are both widely used and highly configurable, endpoint security products are often tuned to avoid flagging them unless explicitly blacklisted or deployed outside of standard IT channels. Attackers exploit this inertia, spreading their initial access software under the guise of routine commercial activity, attached to plausible business documents.Analyses from WithSecure and Seqrite emphasize the prevalence of this method, particularly in France, Luxembourg, Belgium, and Germany since late 2024. Attackers embed installation links within PDFs, boosting the credibility of lures while bypassing email security scanners and content filters. Once executed on the user endpoint, these RMM tools provide a backdoor for remote control, data collection, or further malicious operations, sometimes going unnoticed for extended periods.
While such attacks may not always deploy secondary payloads immediately, their utility as access vectors for ransomware and data theft remains high. Accordingly, organizations must tune their monitoring and response capabilities to detect the unusual use of RMM or remote-access tools, particularly if installation is not part of routine IT operations.
Multifaceted Lures: From Payments to Property
Social engineering remains the linchpin of contemporary attacks. Phishing emails purporting to contain payment receipts, contract documents, or real estate listings continue to prove exceptionally persuasive, especially when paired with plausible context or spoofed sender information.In various campaigns, links concealed within PDF documents enable attackers to frequently bypass URL scanning engines. When users click through, they may be prompted to install RMM tools, grant OAuth consents, or input credentials into adversary-controlled web forms. The use of CAPTCHAs and real-time proxying via AiTM platforms further obscures malicious intent, making traditional pattern-matching detection methods increasingly ineffective.
This pattern of continuous adaptation demonstrates attackers’ commitment to process innovation and highlights the need for organizations to adopt a multilayered security strategy: technical controls, user education, and vigilant monitoring.
The Broader Implications: From Account Takeover to Enterprise Risk
The consequence of a successful OAuth or RMM-aided compromise extends far beyond initial account access. Attackers often use hijacked Microsoft 365 accounts as a launchpad for further internal phishing, business email compromise (BEC), data exfiltration, and even large-scale ransomware deployment. Since compromised accounts may have trusted relationships with internal or partner organizations, the impact often ripples outward, threatening supply chains and customer networks.Security researchers caution that while the campaigns leveraging Tycoon, ODx, and commercial RMM tools represent only a fraction of global threat activity, their polish and efficacy place them at the forefront of account takeover risk. The growing adoption of AiTM credential phishing as a service, in particular, suggests that such techniques could become the industry standard for criminal enterprises, further enlarging the target pool and complicating incident response.
Mitigation Strategies: Practical Steps for Microsoft 365 Organizations
Given the persistence and sophistication of these attack methodologies, enterprise defenders must respond with a comprehensive, layered approach:- Audit and restrict OAuth consents: Regularly review all applications with access to Microsoft 365 data, removing unused or excessive permissions, and require administrator approval for all new third-party apps.
- Implement Conditional Access policies: Enforce strict controls, such as requiring sign-ins from compliant or domain-joined devices and blocking legacy authentication globally.
- Educate users about phishing and social engineering: Promote skepticism around document attachment prompts, “authorization” emails, and requests to install unfamiliar software or approve new applications.
- Monitor for unusual RMM activity: Set alerts for installation or execution of known RMM tools outside of approved maintenance windows or IT workflows.
- Deploy behavioral analytics: Use tools capable of detecting anomalous application registrations, consent grants, or unexpected access patterns.
- Harden email delivery protections: Filter inbound communications for known phishing toolkits, suspicious domains, or unexpected use of trusted email marketing providers.
Analysis: Strengths, Weaknesses, and the Road Ahead
The attackers’ campaigns demonstrate several key strengths:- Adaptability: Quick shifts to new delivery mechanisms—such as using trusted email and document platforms—outpace legacy defenses.
- Plausibility: Use of familiar brands and workflows, including CAPTCHAs and recognizable company names, reduces user skepticism.
- Technical sophistication: AiTM phishing, OAuth abuse, and commercial RMM deployment reflect a mature understanding of cloud applications and enterprise workflows.
- Reliance on user interaction: In most cases, the attack cannot proceed without explicit user action; well-trained users reduce risk.
- Detectable behavioral changes: Installation of unusual RMM tools or mass creation of OAuth consents can be flagged by attentive IT and security teams.
- Dependency on legacy configurations: Microsoft’s ongoing updates and the broader shift away from legacy authentication threatens the long-term viability of these specific techniques.
Looking Forward: The Evolving Nature of Identity Attacks
The convergence of OAuth abuse, AiTM phishing, and legitimate tool exploitation points to a trend: attackers are focusing more on human and procedural weaknesses than on technical exploits. As cloud identity becomes the linchpin of distributed businesses, threats targeting Microsoft 365 and similar platforms will continue to evolve.Ongoing security improvements by Microsoft—including enhanced consent frameworks and stronger default configurations—are promising developments, but their success relies on timely implementation and complementary investments by customers. While platform-level improvements can reduce the exploitability of specific vectors, attackers will continue to probe for overlooked configurations and user behaviors.
Organizations, therefore, face a crucial imperative: to view cloud account security not as a static checkbox, but as an ongoing process of education, vigilance, and adaptation. As the criminal underworld embraces AiTM phishing-as-a-service and weaponizes legitimate tools, security teams must match this dynamism with defense-in-depth, robust monitoring, and a culture of skepticism.
The narrative of these recent attacks underscores a simple, critical truth: in the cloud-first enterprise, identity is the new perimeter. Its defense will shape the security landscape for years to come.
Source: The Hacker News Attackers Use Fake OAuth Apps with Tycoon Kit to Breach Microsoft 365 Accounts
