Cybersecurity firm, Proofpoint, revealed a global phishing campaign using fake Microsoft OAuth apps to MFA bypass Microsoft 365 consumers in over 900 environments, with fake links and hijacked credentials, granting access by circumventing authentications’ security measures.
Like other cyber tactics, it is all done on the basis of tricking users into thinking that these are real applications and permissions are given unknowingly. Attackers steal credentials and bypass multi-factor authentication (MFA), demonstrating how phishing attacks these days are going beyond traditional-era scams to become savvy and technical ones.
Microsoft’s New Auth Protections
The foundation for these MFA bypass attacks is impersonating Microsoft OAuth applications. These applications pretend to be recognizable names, such as Adobe, SharePoint, and DocuSign, and are used in Attacker in the Middle (AiTM) phishing operations.
Once the user interacts with the phishing email, they’re redirected to a realistic-looking OAuth consent page, then an impersonated Microsoft login page.
“Threat actors are creating deceptive Microsoft OAuth applications that impersonate well-known brands such as Adobe, DocuSign, and SharePoint. These malicious apps serve as lures in Attacker-in-the-Middle (AiTM) phishing attacks, primarily utilizing the Tycoon phishing kit, to harvest user credentials and intercept MFA tokens,” Proofpoint said.
This represents a new threat applying OAuth vulnerabilities, where malicious applications are being used to serve as backdoors into corporate networks. At the core of this is the Tycoon phishing kit.
Pioneered in real-time credential capture, Tycoon allows hackers to gain full access even when MFA is turned on. Such software based MFA bypass attacks exploit session-handling vulnerabilities, giving attackers full account access regardless of additional layers of authentication, with some of the MFA attacks are industry specific.
Phishing emails against aerospace companies, for example, are structured around industry-specific terminology like “request-for-quotes” (RFQs) and refer to platforms like ILSMart. These are examples of targeted threat protection authentication threats that modern businesses must deal with.
Cloud App Security Posture Management
The most typical attack chain starts with a phishing email that is sent through an already compromised account. They are shown what seems to be a legitimate Microsoft permission page, requesting app permissions.
Accept or reject, and they get redirected to a fake Microsoft login page, and credentials and MFA tokens are stolen by AiTM methods, enabling another MFA bypass.
Tycoon, as a Phishing-as-a-Service, is typical and boasts multiple phishing kit variants that it supports. Its popularity lies in the fact that it will steal session cookies and credentials directly, meaning even secure authentication systems can be bypassed by attackers.
Cyber experts noted that the backend infrastructure of the attackers had shifted. Instead of using Russian proxies, the majority now use US based data centers, likely an attempt to avoid detection and maximize success rates.
In order to combat these threats, organizations must beef up their Microsoft credential theft prevention. This includes prophylactic protection against unauthorized access in the early stages, segregating out of the ordinary web sessions, and using tools that offer auto-remediation. All these are the foundation of Microsoft 365 phishing countermeasures.
User awareness also plays a role. User education to recognize suspicious login attempts and phishing attacks especially Microsoft 365, reduces risk. Another thing to be aware of is that MFA fatigue attacks are also known as push bombing, wherein attackers flood users with MFA requests so they get frustrated and accept them.
In the future, Microsoft will introduce new default settings for Microsoft 365 this July to August 2025. These settings will block legacy login approaches and require admin authorization for the launch of third-party apps, a move Proofpoint says should significantly reduce MFA bypass success rates.
“Proofpoint anticipates threat actors will increasingly target users’ identity, with AiTM credential phishing becoming the criminal industry standard,” the company wrote.
While cybercriminals become more skilled at using tools like Tycoon to carry out MFA bypass attacks, organizations must look beyond technical Band-Aids and create a culture of digital awareness. Underlying each breach is a human decision, reminding us that the best defense isn’t simply smarter systems, but wiser people.
Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Cybersecurity sections to stay informed and up-to-date with our daily articles.