CyberWire Daily – “Don’t trust that app!”
Episode Date: January 3, 2026
Host: Dave Bittner, N2K Networks
Guest: Selina Larson, Staff Threat Researcher and Lead for Intelligence Analysis & Strategy, Proofpoint
Episode Focus: Microsoft OAuth Application Impersonation Campaigns and MFA Phishing
Episode Overview
This episode of CyberWire Daily digs into a recent Proofpoint investigation of a Microsoft OAuth app impersonation campaign that enables multi-factor authentication (MFA) phishing. Dave Bittner interviews Selina Larson about how adversaries are evolving techniques to circumvent MFA, why these attacks are concerning for organizations, and how defenders can raise the bar for security.
Key Points & Insights
1. Understanding MFA Phishing & OAuth App Impersonation
- Definition: MFA phishing involves attackers trying to steal not only usernames and passwords, but also the second authentication factor (like an SMS code, security token, or biometric credential).
- “Effectively what they're doing is not just stealing your username and password anymore, but also your authentication token or whatever that additional login would be for getting into your account.” — Selina Larson [02:35]
- Microsoft OAuth App Impersonation: Attackers create fake Microsoft OAuth applications, tricking users into granting unnecessary permissions and, in the process, facilitating phishing attacks that lead to credential and token theft.
- “The threat actors will impersonate various fake Microsoft OAuth applications and ultimately lead to credential theft.” — Selina Larson [01:10]
2. How the Attack Chain Works
- Phishing Email Tactics:
- Sends business-relevant email lures (e.g., “Request for quote”, “Review and sign this document”) containing malicious URLs or attachments.
- Triggers a familiar-looking OAuth permission granting flow.
- “These email lures will pretend to be business relevant content… in all cases it will be a URL in the email. Sometimes there will be an attachment that contains a URL.” — Selina Larson [04:53]
- OAuth Consent Flow:
- Brings user to a fake OAuth app permission page, asking to “Accept” or “Cancel.”
- Regardless of user choice, victims are redirected to a fake Microsoft login page to enter credentials and MFA code.
- “Even if you click Cancel, either way, you'll be redirected to basically a landing page to steal your credentials.” — Selina Larson [06:53]
- Attack Utility:
- High-quality phishing kits make attack deployment possible even for low-skilled actors.
- Social engineering remains the critical determinant of success.
3. Adversary-in-the-Middle (AitM) Phishing Kits: Tycoon Example
- Phishing Kits: Tycoon leverages adversary-in-the-middle approaches (like reverse proxies) to steal session cookies and MFA tokens in real time.
- “There'll be like a reverse proxy or there will be a way for them to collect in real time the username, password and the authentication tokens.” — Selina Larson [08:26]
- Primary Targets: Focus is on Microsoft 365 and Gmail users.
4. Scope & Success of the Campaign
- Campaign Scale:
- Tycoon itself is used in high-volume campaigns (tens of thousands of emails), but this specific OAuth impersonation campaign only involved about two dozen distinct malicious apps, seen throughout 2025.
- “We saw more than two dozen malicious applications… throughout 2025 so far.” — Selina Larson [09:33]
- Tycoon itself is used in high-volume campaigns (tens of thousands of emails), but this specific OAuth impersonation campaign only involved about two dozen distinct malicious apps, seen throughout 2025.
- Low Success Rate:
- Few confirmed account takeovers, attributed to weak social engineering in many attempts and increasingly savvy users.
- “Oftentimes what we see are really interesting attack teams, but maybe not the most effective email lures… users are a little bit more inclined to double check and look at the URL.” — Selina Larson [11:13]
- Defensive controls and user vigilance remain key.
- “In our case we block the activity… if the social engineering just isn't there, it's not going to be a very effective method of infection.” — Selina Larson [11:31]
- Few confirmed account takeovers, attributed to weak social engineering in many attempts and increasingly savvy users.
5. Evolution in the Attack Landscape
- Attacker Adaptation:
- MFA phishing is rising as organizations widely adopt stronger authentication.
- “Every time we see an innovation in the attacker ecosystem, it's typically because we saw innovation from defenders.” — Selina Larson [13:33]
- Decrease in traditional botnets/malware; increase in identity-focused campaigns.
- “We've seen the rise of information stealers, we've seen the rise of MFA phishing, we've seen the targeting of identity.” — Selina Larson [13:53]
- MFA phishing is rising as organizations widely adopt stronger authentication.
- Industry Response:
- Microsoft (June 2025) updated default settings in Microsoft 365 to block legacy authentication protocols and require admin consent for third-party app access.
- “…restricting that a little bit better is obviously important and can be pushed back against some of those adversaries.” — Selina Larson [14:53]
- Microsoft (June 2025) updated default settings in Microsoft 365 to block legacy authentication protocols and require admin consent for third-party app access.
6. Defensive Recommendations for Organizations
- Email Security:
- Robust email gateways and anti-phishing controls are foundational.
- User Training:
- Focus on real threats users will encounter, updating training with threat intel.
- “Basing it on what is actually observed in the threat landscape is super important… that's why threat intelligence is so important to supporting security training practices.” — Selina Larson [15:27]
- Focus on real threats users will encounter, updating training with threat intel.
- Cloud Account Monitoring:
- Enable cloud security detection for signs of account takeover.
- Web Security:
- Use filtering and isolation to prevent malicious sessions from progressing.
- “…being able to isolate those potentially malicious sessions and those URLs…” — Selina Larson [16:07]
- Use filtering and isolation to prevent malicious sessions from progressing.
- Strong MFA Strategies:
- Use FIDO2-based physical security keys (e.g., YubiKeys), not just SMS or app-based MFA.
- “…having FIDO based physical security keys… can definitely add a layer of frustration and issues for threat actors…” — Selina Larson [16:58]
- Use FIDO2-based physical security keys (e.g., YubiKeys), not just SMS or app-based MFA.
- Reduce Attack Surface:
- Any step taken to make exploitation harder reduces the organization’s attractiveness for attack.
- “Anything you can do so that you're not the low hanging fruit.” — Dave Bittner [17:13]
- Any step taken to make exploitation harder reduces the organization’s attractiveness for attack.
Notable Quotes & Memorable Moments
- “We have seen broader and better security measures in place that require threat actors to develop innovations and try new things to get around some of that stuff.” — Selina Larson [13:38]
- “It's kind of interesting to see the evolution of some of the social engineering that we've seen… sometimes it can be very effective. Sometimes I'm just like, do you really think that anyone's going to click on this email?” — Selina Larson [12:53]
- “When it comes to user training and user education, basing it on what is actually observed in the threat landscape is super important.” — Selina Larson [15:27]
- “If the social engineering just isn't there, it's not going to be a very effective method of infection.” — Selina Larson [11:40]
Key Timestamps
- [01:10] – Introduction to the Microsoft OAuth app impersonation campaign
- [02:04] – Explaining MFA phishing and why it matters
- [04:45] – How phishing emails lure users and initiate the OAuth flow
- [06:40] – Redirection to fake authentication pages regardless of user action on OAuth prompt
- [08:14] – How attacker-in-the-middle phishing kits (Tycoon) work to capture tokens/cookies
- [09:33] – Analysis of scope, prevalence, and impact of the campaign
- [11:13] – Why success rate is (fortunately) low: user awareness & weak lures
- [13:33] – Evolution: MFA adoption driving attacker innovation
- [14:50] – Microsoft’s policy response: blocking legacy protocols, tightening app consent
- [15:23] – Concrete defensive recommendations for organizations
Tone and Style
The discussion is accessible, practical, and collaborative, with Bittner guiding the conversation and Larson providing both detailed technical explanations and actionable defensive advice. There’s optimism about improving user awareness and security efficacy, but also realism about the evolving threat landscape.
Summary:
This episode reveals how attackers are turning to advanced MFA phishing by impersonating Microsoft OAuth apps—but the combination of improved technical controls, user vigilance, and modern security practices are blunting their success. Organizations should continue evolving security strategies to meet these challenges head-on.
