Daily NewsCyber SafetyIdentity & AccessThreat Detection & Defense

Proofpoint Unmasks Microsoft OAuth Impersonation, Uncovers MFA Illusion

Trust Nothing, Trust No One

For all of today’s technologies, many cyberattacks still depend on deception and subterfuge. Unfortunately, the ways cyber criminals are deceiving people and systems are evolving as well. In fact, it took on a new form in 2025 by masquerading as trust itself. This much was uncovered by Proofpoint, whose latest report delved on the Microsoft OAuth app and how it has become a cautionary tale of trust being weaponised and dismanting even the most robust cyber defence available.

In case you need a refresher, Microsoft OAuth is a secure protocol that allows apps and services to access user data but without ever needing to know your password. It is part of a broader standard called OAuth 2.0, and Microsoft uses it across platforms like Microsoft 365, Azure, and the Microsoft identity platform. In other words, it’s as legit as legit can be, and no one would likely mistake it as a vector for an attack. After all, Microsoft made it. Microsoft uses it.

Microsoft OAuth: Anatomy of an Attack 

With surgical precision, threat actors were able to create fake Microsoft OAuth applications that mimicked trusted brands like SharePoint, Adobe, DocuSign, RingCentral, and more. These malicious apps were not crude imitations by legit-looking ones, complete with convincing names, logos, and permission prompts.

Microsoft OAuth

This uncanny resemblance to legitimate apps ultimately lulled users into a false sense of security—and once they clicked “Accept,” they were redirected through a CAPTCHA page, a clever anti-bot measure, before finally landing on a spoofed Microsoft login portal. From the app to the CAPTCHA to the Microsoft login portal, everything looked legit and above-board. It turns out that wasn’t the case at all. It was all a well-designed ruse, deception in the highest order.

Behind the scenes, phishing kits like Tycoon and ODx harvested credentials and session tokens, bypassing multifactor authentication (MFA) and granting attackers persistent access to Microsoft 365 accounts. The OAuth tokens, immune to password resets, became silent keys to the kingdom so to speak.

The Illusion of Security

Multifactor authentication has long been heralded as the gold standard of account protection. But this campaign exposes its Achilles’ heel: the human element. Users, conditioned to trust familiar logos and benign permission requests, unwittingly authorized access to malicious apps. The attack did not break MFA—it sidestepped it entirely.

This is not merely a technical failure. It is a philosophical one. The assumption that MFA alone can safeguard identity is flawed. Instead, security must be holistic, adaptive, and skeptical. This should be the case for everything and everyone, even of what appears familiar, because in today’s deceitful world, almost nothing is what it seems.

Key Takeaways from the Microsoft OAuth Impersonation Campaign

Aspect

Details

Attack Vector Fake Microsoft OAuth apps impersonating trusted brands
Bypass Technique CAPTCHA + spoofed login + AiTM phishing kits (Tycoon, ODx)
MFA Vulnerability Microsoft OAuth tokens survive password resets; MFA bypassed via token authorization
Scope of Impact 3,000+ accounts compromised across 900+ Microsoft 365 environments
Microsoft’s Mitigation Blocking legacy protocols; requiring admin consent for app access

Scope of Attacks, Their Implications, and Microsoft’s Response

Proofpoint observed over 50 impersonated applications and thousands of malicious messages sent from compromised business accounts. The campaign targeted industries with surgical precision, even impersonating ILSMart, a legitimate aerospace marketplace, to exploit niche trust relationships.

The implications are profound. Attackers no longer need to brute-force their way into systems. They simply need to ask nicely—and look trustworthy while doing it.

In June 2025, Microsoft announced updates to default settings in Microsoft 365, including blocking legacy authentication protocols and requiring admin consent for third-party app access. These changes, rolling out through August, are expected to curtail such abuse. But the damage is done. The campaign has already compromised nearly 3,000 user accounts across 900 environments.

Security vendors and organisations must now reckon with a new reality: identity is the new perimeter, and trust is its most vulnerable asset.

A Final Word

This Microsoft OAuth campaign is a stark reminder that in what looks familiar may be the most dangerous. This certainly applies to cybersecurity and should be taken into account when building a robust, proactive, and holistic security architecture.

At the end of the day, it just might be best to trust nothing and trust no one.

Martin Dale Bolima

Martin has been a Technology Journalist at Asia Online Publishing Group (AOPG) since July 2021, tasked primarily to handle the company’s Disruptive Tech Asia and Disruptive Tech News online portals. He also contributes to Cybersecurity ASEAN and Data&Storage ASEAN, with his main areas of interest being artificial intelligence and machine learning, cloud computing and cybersecurity. A seasoned writer and editor, Martin holds a degree in Journalism from the University of Santo Tomas in the Philippines. He began his professional career back in 2006 as a writer-editor for the University Press of First Asia, one of the premier academic publishers in the Philippines. He next dabbled in digital marketing as an SEO writer while also freelancing as a sports and features writer.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *