Cyber attackers are exploiting counterfeit OAuth applications in conjunction with the Tycoon Kit to compromise Microsoft 365 accounts.

Cybersecurity researchers have identified a new cluster of activity where threat actors impersonate enterprises through fake Microsoft OAuth applications to facilitate credential harvesting as part of account takeover attacks. The fraudulent Microsoft 365 applications impersonate various companies, including RingCentral, SharePoint, Adobe, and DocuSign, according to a report by Proofpoint. This ongoing campaign, first detected in early 2025, utilises OAuth applications as a gateway to gain unauthorised access to users’ Microsoft 365 accounts via phishing kits like Tycoon and ODx, which are capable of conducting multi-factor authentication (MFA) phishing. Proofpoint observed this approach being employed in email campaigns featuring over 50 impersonated applications.

The attacks commence with phishing emails sent from compromised accounts, aiming to deceive recipients into clicking on URLs disguised as requests for quotes (RFQ) or business contract agreements. Clicking these links directs victims to a Microsoft OAuth page for an application named “iLSMART,” which requests permission to view their basic profile and maintain continued access to their data. Notably, this attack impersonates ILSMart, a legitimate online marketplace for the aviation, marine, and defence industries. While the permissions requested would provide limited use to an attacker, they are instrumental in setting up the next stage of the attack. Regardless of whether the target accepts or denies the permissions, they are redirected to a CAPTCHA page and subsequently to a counterfeit Microsoft account authentication page. This fake page employs adversary-in-the-middle (AitM) phishing techniques powered by the Tycoon Phishing-as-a-Service (PhaaS) platform to harvest victims’ credentials and MFA codes. Recently, Proofpoint detected another campaign impersonating Adobe, where emails sent via Twilio SendGrid aimed to gain user authorisation or trigger a cancellation flow that redirects victims to a phishing page. This campaign represents only a fraction of the overall Tycoon-related activity, with multiple clusters leveraging the toolkit to execute account takeover attacks. In 2025 alone, nearly 3,000 user accounts across more than 900 Microsoft 365 environments experienced attempted account compromises. Proofpoint warns that threat actors are developing increasingly innovative attack chains to bypass detection and gain access to organisations globally, anticipating that targeting users’ identities with AitM credential phishing will become the criminal industry standard.