C (3:25)

So how easy is easy when someone gets one of these kits? What are we talking about here in terms, terms of thwarting mfa?

A (3:35)

You're right, I shouldn't say necessarily easy. So it really depends on the kit, the level of experience. There's also stuff that goes into it too, which is actually being able to effectively conduct the phishing. Right. So oftentimes we'll see the threat actor who is using the phish kit might have really terrible and uncompelling phishing wars. And so no one would actually ever click on them and engage with it and get to the landing page to enable the authentication. But the kits themselves, essentially what they do is you can, can as a threat actor basically impersonate the login page of whatever the email is that you're targeting. And so most of these cases will impersonate Microsoft 365. Right. So it might use your actual logo. So the landing page will look authentic. The URL of course will be something that's totally inaccurate. And if you took a look at the URL, you'd be able to say, wait, hold on, this isn't necessarily the Microsoft login or my SharePoint login, it's a weird domain that they're directing me to. But the actual landing page might look authentic and so it can convince people that it is a real site.

C (4:45)

Well, let's walk through what a typical phishing email might look like. I mean, what do the victims receive and how does that lead into the oauth flow?

A (4:53)

Yeah. So in this case and in general with phishing and in particular tycoon, I feel like very business relevant content. Right. For a lot of these very, very high volume credential phishing campaigns, they use things that will be related to your business. So for example, like an invoice or HR theme or something like that. And in the cases that we saw, we saw things impersonating requests for quotes, legitimate business applications that would be used in the enterprise. We saw documents being shared, things like that. So these email lauras will pretend to be business relevant content and they're reaching out the target and it will say, oh, take a look at this, see our quote list or submit no quote or read this document, review and sign this document. And in all cases it will be a URL in the email Sometimes there will be an attachment that contains a URL. But fundamentally what the threat actor is doing is they want you to click on something. It's kind of interesting. So once you click on something, you'll get led to this Microsoft OAuth page. So what this means is it's a fake application that you can basically grant permissions to, and it'll have, you know, we have permissions requested to be able to access your O365 environment. Right. And so these are of course, like, there are many useful and legitimate enterprise applications that would, you would want to grant access and accept to your account. So that flow might be something that people are used to already or if they've already granted, you know, productivity apps or apps that you use in your day to day. And so essentially what it does is it shows this and says permission is requested, and I'll say cancel or Accept. This is kind of where it gets a little bit interesting because if you click Accept, it will grant access to your account, but it'll be very basic. View your profile, maintain access to data that you have given it access to. So it's not super. You know, there's not a lot that this particular app can do. But even if you click Cancel, so it doesn't matter if you click Cancel or Accept, if you do click Accept, it does add those permissions. But even if you click Cancel, either way, you'll be redirected to basically a landing page that will have those. It will redirect you to this captcha, and if the captcha is solved, it'll go to this Microsoft authentication page. So you'll be asked to enter your user name, your password, verify your identity, and that's where the MFA credential capture comes in. So even if you don't grant access but click Cancel, you'll still be redirected to the landing page to steal your credentials.

C (7:37)

And that's a fake Microsoft login page, right?

A (7:40)

Yes, it's totally fake. It's created by the threat actors. And like I said earlier, the URL of these pages will look fake. It'll look illegitimate. So even though the landing page is very compelling, if you think about your security training and you're letting your users know, always make sure to validate the URL in which you're visiting, whether that's hovering over the link before it's clicked, or taking a look in the actual search bar, the browser bars to see, okay, where am I right now? You could tell, you know, it's something that's malicious.

C (8:14)

So your Research references this attacker in the middle technique in the Tycoon phishing kit. How does that go about capturing the MFA tokens and session cookies?

A (8:26)

Yeah, so essentially it's an adversary in the middle phishing kit. So it's mostly used to target Microsoft 365 as well as Gmail. So they essentially try to use cookies to circumvent MFA access controls. But basically what they're doing is in many cases, like you have with MFA phishing kits, there'll be like a reverse proxy or there will be a way for them to collect in real time the username, password and the authentication tokens. And they'll be able to collect a lot of information about the person who is putting in that information. And so in that case, they're essentially able to bypass those restrictions or get around the MFA because they can just use your token to log into the account itself. So essentially in real time, or sometimes close to real time, being able to log in and access that information.

C (9:23)

We'll be right back. How widespread do you all suppose this campaign is?

A (9:33)

This particular campaign, I wouldn't say it's really tremendously popular. We do see a lot of Tycoon in general, and oftentimes those can be tens of thousands of emails per campaign. So Tycoon does could get very high volume. But in this case, we were actually able to take a look at the actual cloud tenant impacts based off of our own visibility. And we saw more than two dozen malicious applications that had this very similar characteristic. So they all shared this consistent pattern in the reply URLs commonly requested this benign OAuth. So we saw things like Adobe or DocuSign. There was some other business relevant content like ILS Smart sort of aviation company. So a lot vary from like very popular enterprise applications to sort of smaller and a little bit more targeted that you would just kind of use in specific businesses. But we did see more than two dozen of these malicious applications throughout 2025 so far. And so it's really interesting we're seeing that they're doing a lot of these different impersonations, but in terms of the volume, I wouldn't necessarily say it's really high volume because that's not a ton of malicious apps. And Tycoon in terms of just the phishing kit itself is pretty high volume in general.

C (10:58)

So is my understanding correct that despite the widespread exposure that you all saw, there were only a handful of successful account takeovers? Why do you think the success rate was so low?

A (11:13)

Well, I think it really depends. In many cases on the social engineering. So I think that regardless of whether it's an MFA account takeover, or whether it's malware delivery, or whether it's a web inject or even a business email compromise where you're sending money to a specific individual, I think in many cases the social engineering has a lot to do with the effectiveness of the actual campaign. And so I think that oftentimes what we see are really interesting attack teams, but maybe not the most effective email lures. Whether that's they look like they're coming from a really sketchy place or users are a little bit more inclined to double check and look at the URL in the search bar or before they click on something to validate it. Of course, in our case we block the activity. So from the perspective of us seeing it, that's why it wouldn't necessarily be successful. But in general, I think that a lot of times, sometimes an attack can be a very clever chain in particular, but if the social engineering just isn't there, it's not going to be a very effective method of infection. And we've seen a lot of sort of unique social engineering in the cases of these apps. Some were pretty effective. I think the one that actually impersonated a legitimate small business with a little bit more request for quote. I thought that that was a little bit better than kind of like generic review your documents. So, you know, I think a lot of it depends on some of the delivery. But yeah, so it's. Yeah, it's kind of interesting to see the evolution of some of the social engineering that we've seen. While we do oftentimes see a lot of the sort of like business relevant content used in lures and sometimes it can be very effective. Sometimes I'm just like, do you really think that anyone's going to click on this email? Like.

C (13:10)

Right, right, right.

A (13:12)

So it really does.

C (13:13)

It's like the lure itself is a test, you know, because if you. Yeah, yeah, it's. Well, I mean, I suppose I don't want to. At the risk of being overly optimistic. I guess it's a good thing that it's harder for these folks to get away with things that from the user point of view, perhaps people are getting a little more savvy.

A (13:33)

Yeah, I mean, I think so. So ultimately too, when it comes down to MFA fishing and why it's so popular right now, that is because it's a direct response to people implementing MFA everywhere. Every time we see an innovation in the attacker ecosystem, it's typically because we saw innovation from Defenders. And we have seen broader and better security measures in place that require threat actors to develop innovations and try new things to get around some of that stuff. And so part of the reason why MFA is so effective right now and is so popular right now, MFA phishing is because of, well, we have to get around this, we have to figure out how to target this identity. And I think that that's part of the overall landscape in general too. And I think, Dave, we've talked about this previously where you see a lot of these major botnets, a lot of this very popular malware, it's just had sort of disappeared. And what we've seen is the rise of information stealers, we've seen the rise of MFA phishing, we've seen the targeting identity, trying to get into cloud tenants, the sort of pivot away from sort of very high volume botnets and loader malware delivery to some other things that are a little bit more targeting individuals and their identity and their access into the enterprise. I think that this is part of it. I did also too want to highlight that Microsoft actually announced back in June that it's updating its default settings in Microsoft 365 to block legacy authentication protocols and require admin consent for third party app access. That's when we talk about OAuth gaining access, approving application access to your environment, restricting that a little bit better is obviously important and can be pushed back against some of those adversaries that are abusing OAuth apps as well.

C (15:17)

Yeah. What are your recommendations then? What should organizations be doing to best protect themselves here?

A (15:23)

Yeah, so I think obviously email having robust email security, I think user training is very important here as well. Letting people know this is what you're going to be seeing. And I think when it comes to user training and user education, basing it on what is actually observed in the threat landscape is super important. Not just like, you know, oh, this is a free McDonald's or something like that. Right. Like, I mean sometimes that's, that is what happens. But oftentimes, you know, we really want to see that we're tailoring easier training and information that we're sharing with our organization to what's actually in the ecosystem. And that's why, you know, threat intelligence is so important to supporting security training practices. But of course, you know, having a cloud security to be able to identify account takeover in the case of effectiveness and certainly, you know, with like when it comes to actually web security, so potentially like being able to isolate those potentially malicious sessions and those URL's so if you do, you know, if you do have a user that does click on that or fall for it, you know, it's able to be isolated in such a way or you know, not being able to sort of bypass some existing security protections and not being able to actually visit those malicious links is super effective as well. And then of course when it comes to actual MFA bypass, having Fido based physical security keys, so something like a Yubikey, anything else that is a physical token, not just having sms, MFA or an application or something like that, making sure that you are having those physical security keys can definitely add a layer of frustration and issues for threat actors that are trying to sort of steal the additional authentication or session cookies that you can basically by putting in your SMS token or something like that.

C (17:13)

Right? Anything you can do so that you're not the low hanging fruit.

A (17:17)

Yes, exactly.

C (17:28)

Our thanks to Selena Larson from Proofpoint for joining us. The research is titled Microsoft OAuth app impersonation campaign leads to MFA phishing. We'll have a link in the Show Notes and that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.

D (18:36)

The holidays mean more travel, more shopping, more time online and more personal info in more places that could expose you more to identity theft. But Lifelock monitors millions of data points per second. If your identity is stolen, our US based restoration specialists will fix it, guaranteed or your money back back. Don't face drained accounts, fraudulent loans or financial losses alone. Get more holiday fun and less holiday worry with Lifelock. Save up to 40% your first year. Visit lifelock.com podcast terms apply.