Microsoft moves to curb the threat: Thousands of malicious messages have been sent from compromised business accounts, as part of the campaign, each impersonating well-known companies. Some lures asked for benign-looking permissions such as “view your profile” and “maintain access to data you have given it access to”.Proofpoint said it reported the observed apps to Microsoft in early 2025 and noted that the software giant’s upcoming Microsoft 365 default-setting changes, announced in June 2025, are expected to significantly limit attackers’ ability to abuse third-party app access. The updates began rolling out in mid-July and are expected to be completed by August 2025.Microsoft did not immediately respond to CSO’s request for comments.Proofpoint recommends implementing effective BEC-prevention measures, blocking unauthorized access in cloud environments, and isolating potentially malicious links in emails to stay ahead of the campaign. Additionally, educating users on Microsoft 365 security risks and strengthening authentication with FIDO-based physical security keys might help. Malicious Microsoft OAuth application IDs and Tycoon fingerprints observed in the campaign were also shared to set detection for.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4032743/cybercrooks-faked-microsoft-oauth-apps-for-mfa-phishing.html
