Cybersecurity researchers have detailed a new cluster of activity where threat actors are impersonating enterprises with fake Microsoft OAuth applications to facilitate credential harvesting as part of account takeover attacks.
“The fake Microsoft 365 applications impersonate various companies, including RingCentral, SharePoint, Adobe, and Docusign,” Proofpoint said in a Thursday report.
The ongoing campaign, first detected in early 2025, is designed to use the OAuth applications as a gateway to obtain unauthorized access to users’ Microsoft 365 accounts by means of phishing kits like Tycoon and ODx that are capable of conducting multi-factor authentication (MFA) phishing.
The enterprise security company said it observed the approach being used in email campaigns with more than 50 impersonated applications.
The attacks begin with phishing emails sent from compromised accounts and aim to trick recipients into clicking on URLs under the pretext of sharing requests for quotes (RFQ) or business contract agreements.
Clicking on these links directs the victim to a Microsoft OAuth page for an application named “iLSMART” that asks them to grant it permissions to view their basic profile and maintain continued access to the data that they have been granted access to.
What makes this attack notable is the impersonation of ILSMart, a legitimate online marketplace for aviation, marine, and defense industries to buy and sell parts and repair services.
“The applications’ permissions would provide limited use to an attacker, but it is used for setting up the next stage of the attack,” Proofpoint said.
Regardless of whether the target accepted or denied the permissions requested, they are first redirected to a CAPTCHA page and then to a phony Microsoft account authentication page once the verification is complete.
This fake Microsoft page makes use of adversary-in-the-middle (AitM) phishing techniques powered by the Tycoon Phishing-as-a-Service (PhaaS) platform to harvest the victim’s credentials and MFA codes.
As recently as last month, Proofpoint said it detected another campaign impersonating Adobe in which the emails are sent via Twilio SendGrid, an email marketing platform, and are engineered with the same goal in mind: To gain user authorization or trigger a cancellation flow that redirects the victim to a phishing page.
The campaign represents just a drop in the bucket when compared to overall Tycoon-related activity, with the multiple clusters leveraging the toolkit to perform account takeover attacks. In 2025 alone, attempted account compromises affecting nearly 3,000 user accounts spanning more than 900 Microsoft 365 environments have been observed.
“Threat actors are creating increasingly innovative attack chains in an attempt to bypass detections and obtain access to organizations globally,” the company said, adding it “anticipates threat actors will increasingly target users’ identity, with AiTM credential phishing becoming the criminal industry standard.”
As of last month, Microsoft has announced plans to update default settings to improve security by blocking legacy authentication protocols and requiring admin consent for third-party app access. The updates are expected to be completed by August 2025.
“This update will have a positive impact on the landscape overall and will hamstring threat actors that use this technique,” Proofpoint pointed out.
The disclosure follows Microsoft’s decision to disable external workbook links to blocked file types by default between October 2025 and July 2026 in an attempt to enhance workbook security.
The findings also come as spear-phishing emails bearing purported payment receipts are used to deploy by means of an AutoIt-based injector a piece of .NET malware called VIP Keylogger that can steal sensitive data from compromised hosts, Seqrite said.
Over the course of several months, spam campaigns have been spotted concealing installation links to remote desktop software inside PDF files so as to bypass email and malware defenses. The campaign is believed to have been ongoing since November 2024, primarily targeting entities in France, Luxembourg, Belgium, and Germany.
“These PDFs are often disguised to look like invoices, contracts, or property listings to enhance credibility and lure victims into clicking the embedded link,” WithSecure said. “This design was intended to create the illusion of legitimate content that has been obscured, prompting the victim to install a program. In this case, the program was FleetDeck RMM.”
Other Remote Monitoring and Management (RMM) tools deployed as part of the activity cluster include Action1, OptiTune, Bluetrait, Syncro, SuperOps, Atera, and ScreenConnect.
“Although no post-infection payloads have been observed, the use of RMM tools strongly suggests their role as an initial access vector, potentially enabling further malicious activity,” the Finnish company added. “Ransomware operators in particular have favoured this approach.”
