Microsoft OAuth App Impersonation: MFA Phishing Tactics Explained

Understanding MFA Phishing

• 💡 MFA phishing is a sophisticated attack that targets multi-factor authentication, aiming to steal not just usernames and passwords, but also authentication tokens or other second factors.
• ⚠️ Historically, MFA has been a strong defense, but threat actors have developed creative tools to bypass it, often by impersonating legitimate services.

The OAuth App Impersonation Campaign

• 🎯 Threat actors are using fake Microsoft OAuth applications to impersonate services like Adobe, DocuSign, and SharePoint.
• 📧 These campaigns often use business-relevant lures such as invoices, HR documents, or quote requests to trick users into clicking malicious links.
• 🔗 Clicking the link leads to a fake Microsoft OAuth page where users are prompted to grant permissions to a malicious app, or are redirected to a fake Microsoft login page.

Attacker-in-the-Middle (AitM) Technique

• 🧠 The Tycoon fishing kit employs an attacker-in-the-middle (AitM) technique, primarily targeting Microsoft 365 and Gmail.
• 🔑 This method uses cookies to circumvent MFA controls, allowing attackers to collect usernames, passwords, and authentication tokens in near real-time.
• 🚫 Even if a user clicks 'cancel' on the permission request, they are often redirected to the credential-harvesting page.

Campaign Scope and Success Factors

• 📈 While the Tycoon kit itself can be high-volume, this specific campaign saw over two dozen malicious applications impersonating various services throughout 2025.
• 📉 The success rate of account takeovers is often low, heavily depending on the effectiveness of the social engineering and the user's ability to spot fake URLs.
• 🚀 Innovations in attacker tactics, like MFA phishing, are direct responses to advancements in defensive measures, highlighting the ongoing cat-and-mouse game in cybersecurity.

Recommendations for Protection

• 🛡️ Organizations should implement robust email and web security measures, alongside comprehensive user training tailored to observed threats.
• 🔑 Phishing-resistant MFA, such as FIDO-based physical security keys (like YubiKey), is crucial to prevent attackers from stealing authentication tokens.
• ⚙️ Microsoft is updating its security defaults to block legacy authentication and require admin consent for third-party app access, which will help mitigate some of these risks.