Don’t trust that app! [Research Saturday]

A

You're listening to the Cyberwire network. Powered by N2K.

B

The DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot. Race the rudders. Raise the sails. Raise the sails. Captain, an unidentified ship is approaching.

A

Over.

B

Roger, wait. Is that an enterprise sales solution? Reach sales professionals, not professional sailors. With LinkedIn ads, you can target the right people by industry, job title and more. Start converting your B2B audience today. Spend $250 on your first campaign and get a free $250 credit for the next one. Get started today@LinkedIn.com campaign terms and conditions apply. Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Bittner and this is our weekly con with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

A

In this particular campaign, it was pretty interesting because the threat actors will impersonate various fake Microsoft OAuth applications and ultimately lead to credential theft.

B

That's Selena Larson, staff threat researcher and lead for intelligence analysis and strategy at Proofpoint. The research we're discussing today is titled Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing.

A

So sometimes we see Microsoft OAuth app impersonation trying to gain access via the malicious app, various permissions and stuff. But in this case it was used more as a vehicle to enable the credential phishing, which was pretty interesting.

B

Well, let's back up just a step and can you describe for us what exactly we're talking about when we say MFA phishing?

A

Of course. So MFA phishing is multifactor authentication phishing. So typically historically, people will have a username and password to log into things. And adding a layer of Multi Factor Authentication could be anything from an SMS to a token that you have to a Yubikey or something like a physical token that you log in or even your fingerprint or your face id, things like that. So adding Multi Factor Authentication to every login adds a layer of protection to organizations. And to keep your information secure, you should enable MFA everywhere on everything. But because we as an information security ecosystem have gotten so much better at mandating multi factor authentication and having that second factor to go along with our username and password passwords. Threat actors have had to get pretty creative and come up with tools and resources to be able to bypass that. So effectively what they're doing is not just stealing your username and password anymore, but also your authentication token or whatever that additional login would be for getting into your account. So there are a variety of ways that they do this, but there are multifactor authentication fish kits that are out there that essentially provide threat actors with that easy way of bypassing the mfa, if it's a certain type of MFA and if your account has it.

B

So how easy is easy when someone gets one of these kits? I mean, what are we talking about here in terms of thwarting mfa?

A

You're right. I shouldn't say necessarily easy. So it really depends on the kit, the level of experience. There's also stuff that goes into it too, which is actually being able to effectively conduct the phishing. Right. So oftentimes we'll see the threat actor who is using the phish kit might have really terrible, terrible and uncompelling phishing wars. And so no one would actually ever click on them and engage with it and get to the landing page to enable the authentication. But the kits themselves, essentially what they do is you can, as a threat actor, basically impersonate the login page of whatever the email is that you're targeting. And so most of these cases will impersonate Microsoft 365. So it might use your actual logo. So the landing page will look authentic. The URL of course, will be something that's totally inaccurate. And if you took a look at the URL, you'd be able to say, wait, hold on, this isn't necessarily the Microsoft login or my SharePoint login. It's a weird domain that they're directing me to. But the actual landing page might look authentic and so it can convince people that it is a real site.

B

Well, let's walk through what a typical phishing email might look like. I mean, what did the victims receive and how does that lead into the oauth flow?

A

Yeah. So in this case and in general with phishing and in particular Tycoon, I feel like very business relevant content. Right. For a lot of these very, very high volume credential phishing campaigns, they use things that will be related to your business. So for example, like an invoice or HR themed or something like that. And in the cases that we saw we saw things impersonating requests for quotes, legitimate business applications that would be used in the enterprise, we documents being shared, things like that. So these email auras will pretend to be business relevant content and they're reaching out to the target and it will say, oh, take a look at this, see our quote list or submit no quote or read this document, review and sign this document. And in all cases it will be a URL in the email. Sometimes there will be an attachment that contains a URL. But fundamentally what the threat actor is doing is they want you to click on something. It's kind of interesting. So once you click on something, you'll get led to this Microsoft OAuth page. So what this means is it's a fake application, that is that you can basically grant permissions to and it'll have, you know, we have permissions requested to be able to access your O365 environment. Right. And so these are of course like there are many useful and legitimate enterprise applications that would, you would want to grant access and accept to your account. So that flow might be something that people are used to already or if they've already granted productivity apps or apps that you use in your day to day. Essentially what it does is it shows this and says permissions requested. And I'll say cancel or Accept. This is where it gets a little bit interesting because if you click Accept, it will grant access to your account, but it'll be very basic. View your profile, maintain access to data that you have given it access to. So it's not super, you know, there's not a lot that this particular app can do. But even if you click Cancel, so it doesn't matter if you click Cancel or Accept, if you do click Accept, it does add those permissions. But even if you click Cancel, either way you'll be redirected to a, basically a landing page that will have those that will redirect you to this like captcha. And if the captcha is solved, it'll go to this Microsoft authentication page. So you'll be asked to enter your user name, your password, verify your identity. And that's where the MFA credential capture comes in. So even if you don't grant access but click Cancel, you'll still be redirected to the landing page to steal your credentials.

B

And that's a fake Microsoft login page, right?

A

Yes, it's totally fake. It's created by the threat actors. And you know, like I said earlier, the URL of these pages will look fake, it'll look illegitimate so even though the landing page is very compelling, if you have, you know, if you think about your security training and you're letting your users know, always make sure to validate the URL in which you're visiting, Whether that's hovering over the link before it's clicked, or taking a look in the actual search bar, the browser bars to see, okay, where am I right now? You could tell it's something that's malicious.

B

So your research references this attacker in the middle technique in the tycoon phishing kit. How does that go about capturing the MFA tokens and session cookies?

A

Yeah, so essentially it's an adversary in the middle phishing kit. So it's mostly used to target Microsoft 365 as well as Gmail. They essentially try to use cookies to circumvent MFA access controls. But basically what they're doing is in many cases, like you have with MFA phishing kits, there'll be like a reverse proxy or there'll be a way for them to collect in real time the username, password and the authentication tokens. And they'll be able to collect a lot of information about the person who is putting in that information. And so in that case, they're essentially able to bypass those restrictions or get around the MFA because they can just use your token to log into the account itself. So essentially in real time, or sometimes close to real time, being able to log in and access that information.

B

We'll be right back. Think your certificate security is covered. By March 2026 TLS certificate lifespans will be cut in half, meaning double today's renewals. And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal volume. That's exponential complexity, operational workload and risk. Unless you modernize your strategy, Cyberark, proven in identity security, is your partner in certificate security. Cyberark simplifies lifecycle management with visibility, automation and control at scale. Master the 47 day shift with CyberArk. Scan for vulnerabilities, streamline operations, scale Security. Visit cyberark.com 47day that's cyberark.com the numbers 47day. And now a word from our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker. How widespread do you all suppose this campaign is.

A

So this particular campaign, I wouldn't say it's really tremendously popular. We do see a lot of tycoon in general and oftentimes those can be tens of thousands of emails per campaign. So tycoon does could get very high volume. But in this case we were actually able to take a look at the actual cloud tenant impacts based off of our own visibility. And we saw more than two dozen malicious applications that had this very similar characteristic. So they all shared this consistent pattern in the reply URL. URLs commonly requested this benign oauth. So we saw things like Adobe or DocuSign. There was some other business relevant content like ILS Smart sort of aviation company. So a lot vary from very popular enterprise applications to sort of smaller and a little bit more targeted that you would just kind of use in specific businesses. But we did see more than two dozen of these malicious applications throughout 2025 so far. And so it's really interesting we're seeing that they're doing a lot of these different impersonations. But in terms of the volume, I wouldn't necessarily say it's really high volume because that's not a ton of malicious apps. And tycoon in terms of just the phishing kit itself is pretty high volume in general.

B

So is my understanding correct that despite the widespread exposure that you all saw, there were only a handful of successful account takeovers? Why do you think the success rate was so low?

A

Well, I think it really depends in many cases on the social engineering. So I think that regardless of whether it's an MFA account takeover or whether it's malware delivery or whether it's a web inject or even a business email compromise where you're sending money to a specific individual, I think in many cases the social engineering has a lot to do with the effectiveness of the actual campaign. And so I think that oftentimes what we see are really interesting attack teams, but maybe not the most effective email lures. Whether that's, you know, they look like they're coming from a really sketchy place, or users are a little bit more inclined to double check and look at the URL in the search bar or you know, before they click on something to validate it. Of course, in our case, you know, we block the activity. So from the perspective of us seeing it, that's, that's why it wouldn't necessarily be successful. But in general, I think that a lot of times, you know, sometimes an attack can be a very clever chain. In particular, but if the social engineering just isn't there, it's not going to be a very effective method of infection. And we've seen a lot of sort of unique social engineering in the cases of these apps. Some were pretty effective, I think. You know, the one that actually impersonated a, impersonated like a legitimate small business with a little bit more request for quote. I thought that that was like a little bit better than kind of like generic review your documents.

B

Right.

A

So, you know, I think it, a lot of it depends on, on some of the delivery, but yeah, so it's, yeah, it's, it's, it's kind of interesting to see the evolution of some of the social engineering that we've seen. While we do oftentimes see a lot of the sort of like business relevant content used in lures. And sometimes it can be very effective. Sometimes I'm just like, do you really think that anyone's gonna click on this email? Like.

B

Right, right.

A

So it really feels, it's like the.

B

Lure itself is a test, you know? Yeah, yeah, it's. Well, I mean, I suppose I don't want to. At the risk of being overly optimistic, I guess it's a good thing that it's hard these folks to get away with things that from the user point of view, perhaps people are getting a little more savvy.

A

Yeah, I mean, I think so. So ultimately too, when it comes down to MFA phishing and why it's so popular right now, that is because it's a direct response to people implementing MFA everywhere. Every time we see an innovation in the attacker ecosystem, it's typically because we saw innovation from defenders and we have seen broader and better security measures in place that require threat actors to develop innovations and try new things to get around some of that stuff. And so part of the reason why MFA is so effective right now and are so popular right now, MFA phishing is because of, well, we have to get around this, we have to figure out how to target this identity. And I think that that's part of the overall landscape in general too. And I think, Dave, we've talked about this previously where you see a lot of these major botnets, a lot of this very popular malware, it's just sort of disappear. And what we've seen is the rise of information stealers, we've seen the rise of MFA phishing, we've seen the targeting identity, trying to get into cloud tenants, this sort of pivot away from sort of very high volume botnets and loader malware delivery to some Other things that are a little bit more targeting individuals and their identity and their access into the enterprise. And so I think that this is part of it. I did also too want to highlight that Microsoft actually announced back in June that it's updating its default settings in Microsoft 365 to block legacy authentication protocols and require admin consent for third party app access. So that's when we talk about OAuth gaining approving application access to your environment. Restricting that a little bit better is obviously important. It can be pushed back against some of those adversaries that are abusing OAuth apps as well.

B

Yeah. What are your recommendations then? What should organizations be doing to best protect themselves here?

A

Yeah, so you know, I think obviously you know, email having robust email security. I think user training is very important here as well. You know, letting people know this is what you're going to be seeing. And I think when it comes to user training and user education, basing it on what is actually observed in the threat landscape is super important. Not just like, you know, oh, this is a free McDonald's or something like that. Right. Like, I mean sometimes that is what happens, but oftentimes, you know, we really want to see that we're tailoring user training and information that we're sharing with our organization to what's actually in the ecosystem. And that's why threat intelligence is so important to supporting security training practices. But of course having a cloud security to be able to identify account takeover in the case of effectiveness and certainly with when it comes to actually web security, so potentially being able to isolate those potentially malicious Sessions and those URLs. So if you do have a user that does click on that or fall for it, it's able be isolated in such a way or not being able to sort of bypass some existing security protections and not being able to actually visit those malicious links is super effective as well. And then of course when it comes to actual MFA bypass, having Fido based physical security keys, so something like a Yubikey, anything else that is a physical token, not just having sms, MFA or an application or something like that, making sure that you are having those physical security keys can definitely add a layer of frustration and issues for threat actors that are trying to sort of steal the additional authentication or session cookies that you can basically by putting in your SMS token or something like that.

B

Right. Anything you can do so that you're not the low hanging fruit.

A

Yes, exactly.

B

Our thanks to Selina Larson from proofpoint for joining us. The research is titled Microsoft OAUTH app impersonation campaign leads to MFA phishing. We'll have a link in the Show Notes and that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. Listen. That's the sound of the fully electric Audi Q6E Tron. The sound of captivating electric performance, dynamic drive and the quiet confidence of ultra smooth handling. The elevated interior reminds you this is more than an EV. This is electric performance redefined. The fully electric Audi Q6 etron.