Microsoft OAuth App Impersonation: MFA Phishing Tactics Explained

Understanding MFA Phishing

• 💡 Multi-factor authentication (MFA) phishing targets users by attempting to steal not just usernames and passwords, but also the second authentication factor.
• 🔑 Historically, MFA has been a strong defense, but threat actors are evolving to bypass it by capturing authentication tokens or session cookies.
• ⚠️ MFA phishing kits provide threat actors with tools to impersonate legitimate login pages, making them appear authentic despite incorrect URLs.

The OAuth App Impersonation Campaign

• 🎯 Threat actors are impersonating fake Microsoft OAuth applications to gain access and facilitate credential theft.
• 📧 Lures often use business-relevant content like invoices, HR documents, or requests for quotes to trick users into clicking malicious links.
• ⚙️ Clicking a link can lead to a fake Microsoft OAuth page requesting permissions. Even if the user clicks 'cancel', they are often redirected to a fake Microsoft login page to capture credentials and MFA tokens.
• 🌐 The research highlights campaigns impersonating services like Adobe, DocuSign, and SharePoint, targeting nearly 3,000 Microsoft 365 accounts.

Attacker-in-the-Middle and Tycoon Kit

• 🤝 The Tycoon fishing kit employs an adversary-in-the-middle technique, primarily targeting Microsoft 365 and Gmail.
• ⚡ This technique uses cookies to circumvent MFA access controls by collecting username, password, and authentication tokens in real-time.
• 📈 While the Tycoon kit can be high-volume, this specific campaign saw over two dozen malicious applications impersonating various services throughout 2025.

Success Rates and Evolving Threats

• 📉 The success rate of these campaigns can be low, often depending heavily on the effectiveness of the social engineering and the quality of the email lures.
• 🧠 Threat actors are pivoting from high-volume botnets to more targeted attacks focusing on identity and access into cloud tenants, including MFA phishing and information stealers.
• ⚠️ Microsoft is implementing security changes, such as blocking legacy authentication protocols and requiring admin consent for third-party app access, to combat these threats.

Recommendations for Protection

• 🛡️ Organizations should implement robust email and cloud security measures.
• 📚 User training and education, tailored to observed threats, are crucial for recognizing and avoiding phishing attempts.
• 🔑 Physical security keys (like YubiKey) are recommended over SMS or app-based MFA to further frustrate threat actors attempting to bypass authentication.
• 🔗 Web security solutions that can isolate malicious sessions and block access to malicious URLs are also vital.