{"id":2581,"date":"2025-03-14T10:05:46","date_gmt":"2025-03-14T10:05:46","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/03\/14\/microsoft365-themed-attack-leveraging-oauth-redirection-for-account-takeover\/"},"modified":"2025-03-14T10:05:46","modified_gmt":"2025-03-14T10:05:46","slug":"microsoft365-themed-attack-leveraging-oauth-redirection-for-account-takeover","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/03\/14\/microsoft365-themed-attack-leveraging-oauth-redirection-for-account-takeover\/","title":{"rendered":"Microsoft365 Themed Attack Leveraging OAuth Redirection for Account Takeover\u00a0"},"content":{"rendered":"<p>    Microsoft365 Themed Attack Leveraging OAuth Redirection for Account Takeover\u00a0<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Two sophisticated phishing campaigns were observed targeting Microsoft 365 users by exploiting OAuth redirection vulnerabilities combined with brand impersonation techniques.\u00a0<\/p>\n<p>Threat researchers are warning organizations about these highly targeted attacks designed to bypass traditional security controls and achieve account takeover (ATO).<\/p>\n<p>The malicious campaigns leverage familiar brands including Adobe and DocuSign to trick users into granting permissions to fraudulent <a href=\"https:\/\/cybersecuritynews.com\/hackers-abuse-oauth-applications\/\" target=\"_blank\" rel=\"noreferrer noopener\">OAuth applications<\/a>.\u00a0<\/p>\n<p>The Proofpoint\u2019s Threat Insight team identified three previously undisclosed malicious OAuth apps disguised as \u201cAdobe Drive,\u201d \u201cAdobe Acrobat,\u201d and \u201cDocuSign\u201d that redirect victims to credential harvesting and malware delivery pages.<\/p>\n<p>\u201cThese sophisticated attackers have altered Microsoft 365 tenant settings and exploited tenant architectures to embed phishing content directly within corporate environments,\u201d Proofpoint said.\u00a0<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Threat researchers at <a href=\"https:\/\/twitter.com\/proofpoint?ref_src=twsrc%5Etfw\">@Proofpoint<\/a> are tracking two ongoing, highly targeted campaigns combining OAuth redirection mechanisms with brand impersonation techniques, malware proliferation and <a href=\"https:\/\/twitter.com\/hashtag\/Microsoft365?src=hash&amp;ref_src=twsrc%5Etfw\">#Microsoft365<\/a> themed <a href=\"https:\/\/twitter.com\/hashtag\/credential?src=hash&amp;ref_src=twsrc%5Etfw\">#credential<\/a> phishing for <a href=\"https:\/\/twitter.com\/hashtag\/Account?src=hash&amp;ref_src=twsrc%5Etfw\">#Account<\/a> Takeover (<a href=\"https:\/\/twitter.com\/hashtag\/ATO?src=hash&amp;ref_src=twsrc%5Etfw\">#ATO<\/a>).<\/p>\n<p>\u2014 Threat Insight (@threatinsight) <a href=\"https:\/\/twitter.com\/threatinsight\/status\/1899869276053635553?ref_src=twsrc%5Etfw\">March 12, 2025<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/figure>\n<p>\u201cIn contrast to conventional phishing, which often relies on lookalike domains or email spoofing, this technique functions wholly within the Microsoft ecosystem.\u201d<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXeo7b7GevTzH_8DJoaGHDkLukduNB7b9HgEwkW89UpnO6lhzIY1v7CSHXKoTvcD6VOODaFLsGTkLbfbbOdi5hGFKBKsTuYGP-GIvyb8TFB72UHGVGUkLGmecKV_JpO5uIlimlDG?key=3N2M3Q_7VoS_4dMydZO7OCwi\" alt=\"\"><figcaption class=\"wp-element-caption\">Malicious application impersonating Adobe and Docusign software<\/figcaption><\/figure>\n<\/div>\n<p>The attack exploits how OAuth 2.0 authorization flows work. When users click on what appears to be a legitimate Microsoft URL, the OAuth implementation vulnerability redirects them to attacker-controlled sites.\u00a0<\/p>\n<p>This redirection can be triggered by modifying parameters such as \u2018response_type\u2019 or \u2018scope\u2019 in valid authorization flows.<\/p>\n<p>These attacks are particularly dangerous because they can bypass standard email security protocols such as domain reputation assessments, <a href=\"https:\/\/cybersecuritynews.com\/domain-based-message-authentication-reporting-conformancedmarc\/\" target=\"_blank\" rel=\"noreferrer noopener\">DMARC enforcement<\/a>, and anti-spoofing strategies.\u00a0<\/p>\n<p>Since the phishing messages traverse through Microsoft\u2019s legitimate servers, they\u2019re significantly less likely to trigger security alerts.<\/p>\n<p>To avoid detection, the malicious apps request minimal permissions with limited scopes like \u201cprofile,\u201d \u201cemail,\u201d and \u201copenid.\u201d\u00a0<\/p>\n<p>However, Proofpoint\u2019s threat detection engine still classified them as malicious, protecting customers using their Account Takeover Protection service.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Recommendation<\/strong><\/h2>\n<p>Organizations with <a href=\"https:\/\/cybersecuritynews.com\/microsoft-365-outage-authentication-token\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft 365 <\/a>environments should implement phishing-resistant authentication methods like FIDO2 security keys and establish strict conditional access policies.\u00a0<\/p>\n<p>Security experts recommend disabling legacy authentication protocols and implementing number matching for <a href=\"https:\/\/cybersecuritynews.com\/microsoft-multi-factor-authentication-issue\/\" target=\"_blank\" rel=\"noreferrer noopener\">multi-factor authentication<\/a> to prevent attackers from bypassing MFA.<\/p>\n<p>These attacks primarily target high-value employees, including executives, account managers, and finance personnel, who typically have access to sensitive data.\u00a0<\/p>\n<p>If successful, attackers gain persistent and independent access to emails, files, contacts, and Microsoft <a href=\"https:\/\/cybersecuritynews.com\/microsoft-announces-ai-avatar\/\" target=\"_blank\" rel=\"noreferrer noopener\">Teams chats<\/a>. \u201cThis is part of a growing trend where attackers exploit built-in trust mechanisms within cloud services,\u201d noted security researchers.<\/p>\n<p>\u201cBy leveraging Microsoft\u2019s legitimate email system, these phishing messages can bypass security controls while appearing entirely genuine to recipients.\u201d<\/p>\n<p>Organizations should review <a href=\"https:\/\/cybersecuritynews.com\/microsoft-entra-id-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">Azure AD <\/a>sign-in logs, implement risky sign-in alerts, and monitor for suspicious OAuth application consent requests.\u00a0<\/p>\n<p>Additionally, security teams should enforce phishing-resistant MFA and conduct regular security awareness training focused specifically on OAuth consent phishing tactics.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Indicators of Compromise<\/strong><\/h2>\n<p>The researchers have published several indicators of compromise (IOCs), including:<\/p>\n<h3 class=\"wp-block-heading\"><strong>App IDs:<\/strong><\/h3>\n<pre class=\"wp-block-preformatted\">14b2864e-3cff-4d33-b5cd-7f14ca272ea4 ('Adobe Drive')<br>85da47ec-2977-40ab-af03-f3d45aaab169 ('Adobe Drive X')<br>355d1228-1537-4e90-80a6-dae111bb4d70 ('Adobe Acrobat')<br>6628b5b8-55af-42b4-9797-5cd5c148313c ('DocuSign')<\/pre>\n<p>Reply and Redirection URLs include domains hosted on workers.dev, tigris.dev, and pages.dev platforms.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong><strong><code><strong>Are you from SOC\/DFIR Teams? \u2013 Analyse Malware Incidents &amp; get live Access with ANY.RUN -&gt;\u00a0<a href=\"https:\/\/any.run\/demo\/?utm_source=li_csn&amp;utm_medium=post&amp;utm_campaign=6_habits&amp;utm_content=demo&amp;utm_term=100325\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Start Now for Free<\/a>.<\/strong><\/code><\/strong><\/strong>\u00a0<\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/microsoft365-themed-attack-leveraging-oauth-redirection\/\">Microsoft365 Themed Attack Leveraging OAuth Redirection for Account Takeover\u00a0<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Kaaviya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/microsoft365-themed-attack-leveraging-oauth-redirection\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft365 Themed Attack Leveraging OAuth Redirection for Account Takeover\u00a0 Two sophisticated phishing campaigns were observed targeting Microsoft 365 users by exploiting OAuth redirection vulnerabilities combined with brand impersonation techniques.\u00a0 Threat researchers are warning organizations about these highly targeted attacks designed to bypass traditional security controls and achieve account takeover (ATO). The malicious campaigns leverage familiar [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,158],"tags":[130],"class_list":["post-2581","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-microsoft","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/2581"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=2581"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/2581\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=2581"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=2581"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=2581"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}