Two sophisticated phishing campaigns were observed targeting Microsoft 365 users by exploiting OAuth redirection vulnerabilities combined with brand impersonation techniques.
Threat researchers are warning organizations about these highly targeted attacks designed to bypass traditional security controls and achieve account takeover (ATO).
The malicious campaigns leverage familiar brands including Adobe and DocuSign to trick users into granting permissions to fraudulent OAuth applications.
The Proofpoint’s Threat Insight team identified three previously undisclosed malicious OAuth apps disguised as “Adobe Drive,” “Adobe Acrobat,” and “DocuSign” that redirect victims to credential harvesting and malware delivery pages.
“These sophisticated attackers have altered Microsoft 365 tenant settings and exploited tenant architectures to embed phishing content directly within corporate environments,” Proofpoint said.
“In contrast to conventional phishing, which often relies on lookalike domains or email spoofing, this technique functions wholly within the Microsoft ecosystem.”
The attack exploits how OAuth 2.0 authorization flows work. When users click on what appears to be a legitimate Microsoft URL, the OAuth implementation vulnerability redirects them to attacker-controlled sites.
This redirection can be triggered by modifying parameters such as ‘response_type’ or ‘scope’ in valid authorization flows.
These attacks are particularly dangerous because they can bypass standard email security protocols such as domain reputation assessments, DMARC enforcement, and anti-spoofing strategies.
Since the phishing messages traverse through Microsoft’s legitimate servers, they’re significantly less likely to trigger security alerts.
To avoid detection, the malicious apps request minimal permissions with limited scopes like “profile,” “email,” and “openid.”
However, Proofpoint’s threat detection engine still classified them as malicious, protecting customers using their Account Takeover Protection service.
Recommendation
Organizations with Microsoft 365 environments should implement phishing-resistant authentication methods like FIDO2 security keys and establish strict conditional access policies.
Security experts recommend disabling legacy authentication protocols and implementing number matching for multi-factor authentication to prevent attackers from bypassing MFA.
These attacks primarily target high-value employees, including executives, account managers, and finance personnel, who typically have access to sensitive data.
If successful, attackers gain persistent and independent access to emails, files, contacts, and Microsoft Teams chats. “This is part of a growing trend where attackers exploit built-in trust mechanisms within cloud services,” noted security researchers.
“By leveraging Microsoft’s legitimate email system, these phishing messages can bypass security controls while appearing entirely genuine to recipients.”
Organizations should review Azure AD sign-in logs, implement risky sign-in alerts, and monitor for suspicious OAuth application consent requests.
Additionally, security teams should enforce phishing-resistant MFA and conduct regular security awareness training focused specifically on OAuth consent phishing tactics.
Indicators of Compromise
The researchers have published several indicators of compromise (IOCs), including:
App IDs:
14b2864e-3cff-4d33-b5cd-7f14ca272ea4 ('Adobe Drive')
85da47ec-2977-40ab-af03-f3d45aaab169 ('Adobe Drive X')
355d1228-1537-4e90-80a6-dae111bb4d70 ('Adobe Acrobat')
6628b5b8-55af-42b4-9797-5cd5c148313c ('DocuSign')
Reply and Redirection URLs include domains hosted on workers.dev, tigris.dev, and pages.dev platforms.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
