Executive Summary
Proofpoint discovered a widespread phishing campaign leveraging fake Microsoft OAuth applications to bypass multifactor authentication (MFA) and harvest Microsoft 365 credentials. The attackers impersonated reputable brands like RingCentral, Adobe, SharePoint, and DocuSign, by luring victims into approving minimal‑privilege access. Even if MFA was declined, victims were redirected through CAPTCHA and a phishing page using Tycoon or ODx phishing kits, executing attacker-in-the-middle (AiTM) credential harvesting. Proofpoint has observed attempted account compromises affecting nearly 3,000 user accounts across more than 900 Microsoft 365 environments, with a confirmed success rate exceeding 50% since early 2025. Microsoft implemented blocking of legacy auth and requiring admin consent for third-party apps by August 2025 to limit this abuse.
Retail & Hospitality Community Impact
- Credential theft risk: Retail and hospitality organizations rely heavily on Microsoft 365 for collaboration, payroll, and customer service. OAuth app phishing threatens unauthorized access to email, reservations systems, and internal data.
- Risk to loyalty and payments systems: Compromised accounts may provide access to customer loyalty databases or POS systems, enabling fraud or data exfiltration.
- Trust erosion and insider phishing: Attackers may use compromised accounts to impersonate employees, sending phishing internally, damaging operational and reputational trust.
- Detection challenges: OAuth consent screens are familiar to end users; staff accustomed to approving legitimate integrations may approve malicious ones unintentionally, especially during busy periods.
Technical Details & TTPs
Initial Compromise & Lure
- Attackers use compromised internal email accounts to send phishing messages, often themed as RFQs or business document agreements.
- Messages direct users to fake OAuth consent screens for impersonated apps requesting minimal permissions (view basic profile, maintain access to data).
Credential Theft via AiTM
- Once access is approved, the victim is redirected through a CAPTCHA step to evade automated detection, then to a spoofed Microsoft login page.
- Tycoon or ODx phishing kits capture both credentials and MFA tokens, providing full access even if MFA is enabled.
Post-Compromise Impact
- OAuth tokens remain valid through password resets until revoked.
- Compromised accounts can be repurposed for lateral movement, follow-on malware installation, or to distribute further phishing from trusted internal sources.
Mitigations & Detection Opportunities
Detection & Monitoring
- Monitor cloud logs for new OAuth app consents granted, especially from unexpected internal senders or apps.
- Flag emails containing URLs leading to OAuth consent pages with branding mismatches or odd redirect flows.
- Observe unusual MFA prompts or sessions granted by unknown OAuth clients.
Security Controls
Restrict OAuth App Consent
- Enforce admin consent only for third-party app access.
- Enable Microsoft security setting changes rolling out July–August 2025 to block legacy auth and require admin approval.
User Education
- Train staff that trusted branding does not guarantee safe apps, especially in OAuth prompts.
- Teach users to scrutinize app names, publishers, and requested permissions.
Identity Hygiene
- Regularly conduct OAuth token audits, removing unknown or stale authorized apps.
- Require FIDO-based phishing-resistant MFA tokens where feasible.
- Revoke OAuth tokens promptly upon password reset or suspected compromise.
Indicators of Compromise
Indicator | Description | First Seen |
hxxps[:]//azureapplicationregistration[.]pages[.]dev/redirectapp | Redirector to Tycoon | 18 March 2025 |
hxxps://9b031a44-7158758d[.]yrqwvevbjcfv[.]es/SZgm3kXA/ | Tycoon Landing | 18 March 2025 |
yrqwvevbjcfv[.]es | Tycoon Landing Domain | 18 March 2025 |
hxxps://n3xxk[.]gmlygt[.]ru/chai!0jwio | Tycoon Antibot (Example) | 18 March 2025 |
gmlygt[.]ru | Tycoon Antibot (Example) | 18 March 2025 |
2a00:b703:fff2:35::1 | Example of Signin Facing IP for Tycoon | 18 March 2025 |
hxxps://chikeukohandco[.]com/csi/index.html?redirect_mongo_id=684aaffb62194c1eaec5076d&utm_source= | SendGrid URL to Tycoon Redirector | 12 June 2025 |
hxxps://chikeukohandco[.]com/saas/Index.html | Redirector to Tycoon | 12 June 2025 |
pw5[.]haykovx[.]es | Tycoon Landing Domain | 12 June 2025 |
14b2864e-3cff-4d33-b5cd-7f14ca272ea4 | Malicious Microsoft OAuth Application ID | 27 January 2025 |
85da47ec-2977-40ab-af03-f3d45aaab169 | Malicious Microsoft OAuth Application ID | 04 February 2025 |
355d1228-1537-4e90-80a6-dae111bb4d70 | Malicious Microsoft OAuth Application ID | 19 February 2025 |
6628b5b8-55af-42b4-9797-5cd5c148313c | Malicious Microsoft OAuth Application ID | 19 February 2025 |
b0d8ea55-bc29-436c-9f8b-f8829030261d | Malicious Microsoft OAuth Application ID | 04 March 2025 |
22c606e8-7d68-4a09-89d9-c3c563a453a0 | Malicious Microsoft OAuth Application ID | 11 March 2025 |
31c6b531-dd95-4361-93df-f5a9c906da39 | Malicious Microsoft OAuth Application ID | 11 March 2025 |
055399fa-29b9-46ab-994d-4ae06f40bada | Malicious Microsoft OAuth Application ID | 18 February 2025 |
6a77659d-dd6f-4c73-a555-aed25926a05f | Malicious Microsoft OAuth Application ID | 06 March 2025 |
21f81c9e-475d-4c26-9308-1de74a286f73 | Malicious Microsoft OAuth Application ID | 20 February 2025 |
987c259f-da29-4575-8072-96c610204830 | Malicious Microsoft OAuth Application ID | 18 March 2025 |
db2eb385-c02f-44fc-b204-ade7d9f418b1 | Malicious Microsoft OAuth Application ID | 10 March 2025 |
f99a0806-7650-4d78-acef-71e445dfc844 | Malicious Microsoft OAuth Application ID | 17 March 2025 |
fdcf7337-92bf-4c70-9888-ea234b6ffb0d | Malicious Microsoft OAuth Application ID | 27 February 2025 |
fe0e32ca-d09e-4f80-af3c-5b086d4b8e66 | Malicious Microsoft OAuth Application ID | 06 March 2025 |
axios/1.7.9 | Axios user agent associated with Tycoon activity | 09 December 2024 |
axios/1.8.2 | Axios user agent associated with Tycoon activity | 10 March 2025 |
