Cybersecurity researchers have uncovered two highly sophisticated phishing campaigns exploiting OAuth redirection vulnerabilities to target Microsoft 365 users. These attacks, leveraging brand impersonation tactics, pose a serious risk of account takeovers (ATO) by bypassing traditional security controls.
How Attackers Exploit OAuth Redirection for Account Takeover
The malicious campaigns use well-known brands like Adobe and DocuSign to trick victims into granting permissions to fraudulent OAuth applications. According to Proofpoint’s Threat Insight team, researchers identified three undisclosed malicious OAuth apps disguised as Adobe Drive, Adobe Acrobat, and DocuSign. These fake applications redirect unsuspecting users to credential harvesting and malware delivery sites, making them particularly dangerous.
Microsoft 365 Tenant Exploitation & Phishing Tactics
Proofpoint warns that attackers have manipulated Microsoft 365 tenant settings and leveraged tenant architectures to embed phishing content directly into corporate environments. Unlike traditional phishing, which relies on spoofed domains or email impersonation, this method operates entirely within Microsoft’s ecosystem.
How the Attack Works
This phishing attack exploits OAuth 2.0 authorization flows. When users click a seemingly legitimate Microsoft URL, they are unknowingly redirected to an attacker-controlled site due to vulnerabilities in the OAuth implementation. The redirection is triggered by modifying authorization flow parameters, such as response_type and scope.
Because the phishing emails originate from Microsoft’s legitimate servers, they can bypass security measures like domain reputation assessments, DMARC enforcement, and anti-spoofing filters, making them harder to detect and increasing the likelihood of successful account compromise.
Minimizing Detection & Maximizing Impact
To remain undetected, attackers request minimal permissions with limited scopes like profile, email, and OpenID. Despite these low-level permission requests, Proofpoint’s threat detection engine flagged the applications as malicious, offering protection through its Account Takeover Protection service.
How Organizations Can Protect Themselves
Security experts recommend implementing phishing-resistant authentication, disabling legacy authentication protocols, enabling number matching for MFA, reviewing Azure AD sign-in logs, monitoring OAuth consent requests, and conducting regular security training to mitigate the risk of OAuth-based phishing attacks.
Who Are the Targets?
These phishing campaigns primarily target high-value employees such as executives, account managers, and finance personnel. If successful, attackers gain persistent and independent access to emails, files, contacts, and Microsoft Teams chats.
Security researchers emphasize that this attack is part of a growing trend where cybercriminals exploit built-in trust mechanisms within cloud services. By operating within Microsoft’s email system, phishing messages appear entirely genuine, making them harder to detect.
Indicators of Compromise (IOCs)
Malicious OAuth App IDs:
- Adobe Drive: 14b2864e-3cff-4d33-b5cd-7f14ca272ea4
- Adobe Drive X: 85da47ec-2977-40ab-af03-f3d45aaab169
- Adobe Acrobat: 355d1228-1537-4e90-80a6-dae111bb4d70
- DocuSign: 6628b5b8-55af-42b4-9797-5cd5c148313c
Malicious Reply & Redirection URLs:
workers.dev, tigris.dev, pages.dev
As cyber threats targeting Microsoft 365 users become more sophisticated, organizations must adopt proactive security measures. Implementing phishing-resistant authentication, monitoring suspicious OAuth consent requests, and conducting regular employee training can significantly reduce the risk of account takeovers.
By staying ahead of evolving threats, businesses can safeguard their digital assets and maintain a secure cloud environment.
For more security news, click here.
