Cybercriminals are exploiting Microsoft OAuth applications to distribute malware and steal Microsoft 365 account credentials.
Cybercriminals are leveraging malicious Microsoft OAuth applications that impersonate trusted software, specifically Adobe Drive, Adobe Drive X, Adobe Acrobat, and DocuSign. These fraudulent apps trick users into granting permissions, enabling attackers to spread the malware and grab users’ 365 account credentials.
Proofpoint researchers uncovered the malicious campaigns, describing them as “highly targeted” in a thread on X.
According to Proofpoint, the phishing campaigns distributing these apps originated from compromised email accounts belonging to charities and small businesses, likely Office 365 accounts.
The attacks targeted organisations across multiple sectors in the US and Europe, including government, healthcare, supply chain, and retail. Many of the phishing emails used familiar tactics, such as fake requests for proposals (RFPs) and contract-related lures, to trick recipients into clicking malicious links.
IT leaders can review OAuth approvals via My Apps and restrict user consent to third-party apps under Enterprise Applications → Consent and Permissions.
More Specifics on the Malware Campaign
To evade detection, these malicious OAuth applications request only seemingly low-risk permissions, such as ‘profile,’ ‘email,’ and ‘openid.’ By limiting their access requests, they avoid raising suspicion while still obtaining valuable user information.
If granted, these permissions provide attackers with critical data. The ‘profile’ permission reveals the user’s full name, user ID, profile picture, and username. The ‘email’ permission exposes the primary email address, though it does not grant inbox access. The ‘openid’ permission allows the attacker to confirm the user’s identity and retrieve Microsoft account details, which can be exploited for further attacks.
Although the permissions granted to these malicious OAuth apps provide limited data, attackers can still use the information for more targeted attacks. Once access is approved, users are redirected to phishing pages designed to steal Microsoft 365 credentials or distribute malware.
Proofpoint could not identify the malware used but noted the attackers leveraged the ClickFix social engineering technique, which has gained popularity among cybercriminals in recent years. These attacks resemble past campaigns, proving OAuth apps remain an effective method for compromising Microsoft 365 accounts.
“The victims went through multiple redirections and stages after authorising the O365 OAuth app until presented with the malware or the phishing page behind,” Proofpoint said to the publication BleepingComputer. “In some cases, the victims were redirected to an “O365 login” page (hosted on malicious domain). In less than a minute after the authorisation, Proofpoint detected suspicious login activity to the account.”
Russian Hackers Use Microsoft Teams to Phish 365 Accounts
Last month, cybersecurity firm Volexity identified a wave of attacks targeting Microsoft accounts using device code authentication phishing, a technique potentially linked to Russian state-sponsored hackers.
These attacks have successfully compromised high-profile accounts across government agencies, research institutions, and major enterprises. Unlike traditional spear-phishing, this method exploits legitimate Microsoft services, making it harder to detect.
Attackers trick victims into providing authentication codes by impersonating officials from organisations like the US Department of State and top research institutions. Once obtained, these codes grant long-term access to accounts, enabling espionage and persistent cyber threats.
In other 2025 Microsoft security news, the vendor introduced a long-anticipated phishing and spam alert feature to Teams in February.
Teams has been a long-lasting target for bad actors intending to gain access to organisations’ systems and data, primarily via phishing and spam attempts. IT admins have been lobbying for more robust capabilities within Teams that can protect users, notably less tech and internet-savvy users, from standard phishing and scam attacks. Microsoft is finally answering such calls.
