Don’t trust that app! [Research Saturday]

Episode Summary: “Don’t trust that app! [Research Saturday]”

CyberWire Daily – September 6, 2025
Host: Dave Bittner (N2K Networks)
Guest: Selena Larson, Staff Threat Researcher and Lead for Intelligence Analysis and Strategy at Proofpoint
Main Topic: Microsoft OAuth App Impersonation Campaigns and MFA Phishing

Overview

This episode dives deep into a Proofpoint research analysis of a credential phishing campaign leveraging Microsoft OAuth application impersonation. Host Dave Bittner and threat researcher Selena Larson unravel how attackers use fake OAuth apps to bypass Multi-Factor Authentication (MFA), and discuss the wider implications for organizational cloud security.

Key Discussion Points and Insights

1. Anatomy of the Attack: Microsoft OAuth Impersonation

Phishing Technique: Attackers impersonate Microsoft OAuth applications to trick users into handing over credentials.
- “In this particular campaign… the threat actors will impersonate various fake Microsoft OAuth applications and ultimately lead to credential theft.” (Selena Larson, 01:53)
Purpose of Impersonation: Instead of just stealing credentials, the OAuth app in this attack is a vehicle to enable more advanced phishing, particularly bypassing MFA.
- “In this case, it was used more as a vehicle to enable the credential phishing, which was pretty interesting.” (01:53)

2. MFA Phishing Explained

MFA and Attacker Response: MFA (Multi-Factor Authentication) has strengthened security, but now threat actors are innovating to get around it.
- “Because we...have gotten so much better at mandating multi factor authentication…threat actors have had to get pretty creative.” (Selena Larson, 02:47)
- Attackers now aim not just for usernames and passwords but also for authentication tokens and session cookies.
Phishing Kits: MFA phishing kits are available, some making impersonation straightforward, though effectiveness depends on the quality of the lure.
- “...the kits themselves...impersonate the login page of whatever the email is that you’re targeting.” (Selena Larson, 04:18)

3. How the Campaign Works

Phishing Lures: Attackers use convincing business-related themes, like document requests or invoices.
- “[Attackers] use things that will be related to your business… we saw things impersonating requests for quotes, legitimate business applications.” (05:36)
Fake OAuth Authorization: Users are presented with a fake Microsoft OAuth consent screen.
- Whether users click “Accept” or “Cancel,” they are redirected to a phishing page designed to capture credentials and MFA.
- “Even if you click Cancel, you’ll still be redirected to the landing page to steal your credentials.” (Selena Larson, 07:54)
Adversary-in-the-Middle Approach: Campaigns make use of attacker-in-the-middle phishing kits like Tycoon, gathering credentials and session tokens in real time.
- “There’ll be like a reverse proxy or there’ll be a way for them to collect in real time the username, password, and authentication tokens.” (09:09)

4. Attack Scale and Effectiveness

Volume Observed: Only around two dozen distinct malicious apps detected throughout 2025 in this campaign — not as widespread as some high-volume phishing.
- “We saw more than two dozen malicious applications that had...this very similar characteristic.” (Selena Larson, 11:58)
Success Rate: Only a handful of successful account takeovers observed, likely due to improved user savvy and robust security defenses.
- “In many cases the social engineering has a lot to do with the effectiveness of the actual campaign.” (13:37)
- Poorly crafted phishing emails often fail, but lures that closely mimic normal business communications are more dangerous.

5. Trends and Mitigation

Evolution of Attacks: As defenses improve, attacks pivot from generic malware and botnets to identity-focused tactics targeting cloud accounts and personal access.
- “We’ve seen the rise of information stealers, we’ve seen the rise of MFA phishing, we’ve seen the targeting identity, trying to get into cloud tenants...” (Selena Larson, 15:57)
Platform Changes: Microsoft has started to restrict legacy authentication and admin consent, making abuse of OAuth harder (referenced as a positive step by guest).

6. Recommendations for Organizations

Robust Email Security: Essential for catching malicious emails before they reach users.
User Training: Focused, relevant security awareness that reflects active, real-world threats.
- “When it comes to user training and user education, basing it on what is actually observed in the threat landscape is super important.” (Selena Larson, 17:48)
Cloud Security Monitoring: Ability to detect and contain suspicious logins and app authorizations.
Isolation of Threats: Capabilities to isolate potentially malicious user sessions or links.
Physical MFA Devices: Use hardware tokens (like Yubikeys) for strong MFA over SMS or app-based methods.
- “Having Fido based physical security keys… add a layer of frustration and issues for threat actors.” (18:45)
Avoid Being ‘Low Hanging Fruit’: Any added layer of security makes you a harder target.

Notable Quotes and Memorable Moments

On why attackers target MFA now:

“Every time we see an innovation in the attacker ecosystem, it’s typically because we saw innovation from defenders…”
— Selena Larson (15:57)
About the quality of phishing lures:

“Sometimes I’m just like, do you really think that anyone’s gonna click on this email?”
— Selena Larson (15:12)
On effective user education:

“Basing [user training] on what is actually observed in the threat landscape is super important.”
— Selena Larson (17:48)
Succinct guidance for listeners:

“Anything you can do so that you’re not the low hanging fruit.”
— Dave Bittner (19:38)

Key Segment Timestamps

[01:53]: Introduction to campaign: Impersonation of Microsoft OAuth apps
[02:47]: MFA phishing for credential theft explained
[05:36]: Walkthrough of a phishing email and OAuth consent flow
[07:54]: Explanation: Accept/Cancel both lead to phishing
[09:09]: Attacker-in-the-middle mechanics and Tycoon phishing kit
[11:58]: Attack scale and campaign observations
[13:37]: Low success rates and the role of social engineering
[15:57]: Trend shift in cyber attacks and Microsoft’s mitigations
[17:48]: Top recommendations for organizations

Concluding Thoughts

This episode provides a thorough, clear walkthrough of an evolving attack vector targeting cloud identities and MFA protections. While current attack sophistication varies, both user awareness and layered technical defenses remain crucial for mitigating these threats. As attackers adapt to stronger protections, the security community must keep pace—defending not only at the email gateway but through realistic end-user training and advanced authentication controls.

Episode Summary: “Don’t trust that app! [Research Saturday]”

Overview

Key Discussion Points and Insights

1. Anatomy of the Attack: Microsoft OAuth Impersonation

Phishing Technique: Attackers impersonate Microsoft OAuth applications to trick users into handing over credentials.
- “In this particular campaign… the threat actors will impersonate various fake Microsoft OAuth applications and ultimately lead to credential theft.” (Selena Larson, 01:53)
Purpose of Impersonation: Instead of just stealing credentials, the OAuth app in this attack is a vehicle to enable more advanced phishing, particularly bypassing MFA.
- “In this case, it was used more as a vehicle to enable the credential phishing, which was pretty interesting.” (01:53)

2. MFA Phishing Explained

MFA and Attacker Response: MFA (Multi-Factor Authentication) has strengthened security, but now threat actors are innovating to get around it.
- “Because we...have gotten so much better at mandating multi factor authentication…threat actors have had to get pretty creative.” (Selena Larson, 02:47)
- Attackers now aim not just for usernames and passwords but also for authentication tokens and session cookies.
Phishing Kits: MFA phishing kits are available, some making impersonation straightforward, though effectiveness depends on the quality of the lure.
- “...the kits themselves...impersonate the login page of whatever the email is that you’re targeting.” (Selena Larson, 04:18)

3. How the Campaign Works

Phishing Lures: Attackers use convincing business-related themes, like document requests or invoices.
- “[Attackers] use things that will be related to your business… we saw things impersonating requests for quotes, legitimate business applications.” (05:36)
Fake OAuth Authorization: Users are presented with a fake Microsoft OAuth consent screen.
- Whether users click “Accept” or “Cancel,” they are redirected to a phishing page designed to capture credentials and MFA.
- “Even if you click Cancel, you’ll still be redirected to the landing page to steal your credentials.” (Selena Larson, 07:54)
Adversary-in-the-Middle Approach: Campaigns make use of attacker-in-the-middle phishing kits like Tycoon, gathering credentials and session tokens in real time.
- “There’ll be like a reverse proxy or there’ll be a way for them to collect in real time the username, password, and authentication tokens.” (09:09)

4. Attack Scale and Effectiveness

Volume Observed: Only around two dozen distinct malicious apps detected throughout 2025 in this campaign — not as widespread as some high-volume phishing.
- “We saw more than two dozen malicious applications that had...this very similar characteristic.” (Selena Larson, 11:58)
Success Rate: Only a handful of successful account takeovers observed, likely due to improved user savvy and robust security defenses.
- “In many cases the social engineering has a lot to do with the effectiveness of the actual campaign.” (13:37)
- Poorly crafted phishing emails often fail, but lures that closely mimic normal business communications are more dangerous.

5. Trends and Mitigation

Evolution of Attacks: As defenses improve, attacks pivot from generic malware and botnets to identity-focused tactics targeting cloud accounts and personal access.
- “We’ve seen the rise of information stealers, we’ve seen the rise of MFA phishing, we’ve seen the targeting identity, trying to get into cloud tenants...” (Selena Larson, 15:57)
Platform Changes: Microsoft has started to restrict legacy authentication and admin consent, making abuse of OAuth harder (referenced as a positive step by guest).

6. Recommendations for Organizations

Robust Email Security: Essential for catching malicious emails before they reach users.
User Training: Focused, relevant security awareness that reflects active, real-world threats.
- “When it comes to user training and user education, basing it on what is actually observed in the threat landscape is super important.” (Selena Larson, 17:48)
Cloud Security Monitoring: Ability to detect and contain suspicious logins and app authorizations.
Isolation of Threats: Capabilities to isolate potentially malicious user sessions or links.
Physical MFA Devices: Use hardware tokens (like Yubikeys) for strong MFA over SMS or app-based methods.
- “Having Fido based physical security keys… add a layer of frustration and issues for threat actors.” (18:45)
Avoid Being ‘Low Hanging Fruit’: Any added layer of security makes you a harder target.

Notable Quotes and Memorable Moments

On why attackers target MFA now:

“Every time we see an innovation in the attacker ecosystem, it’s typically because we saw innovation from defenders…”
— Selena Larson (15:57)
About the quality of phishing lures:

“Sometimes I’m just like, do you really think that anyone’s gonna click on this email?”
— Selena Larson (15:12)
On effective user education:

“Basing [user training] on what is actually observed in the threat landscape is super important.”
— Selena Larson (17:48)
Succinct guidance for listeners:

“Anything you can do so that you’re not the low hanging fruit.”
— Dave Bittner (19:38)

Key Segment Timestamps

[01:53]: Introduction to campaign: Impersonation of Microsoft OAuth apps
[02:47]: MFA phishing for credential theft explained
[05:36]: Walkthrough of a phishing email and OAuth consent flow
[07:54]: Explanation: Accept/Cancel both lead to phishing
[09:09]: Attacker-in-the-middle mechanics and Tycoon phishing kit
[11:58]: Attack scale and campaign observations
[13:37]: Low success rates and the role of social engineering
[15:57]: Trend shift in cyber attacks and Microsoft’s mitigations
[17:48]: Top recommendations for organizations

wavePod

Powered by Wave AI

Summary

Episode Summary: “Don’t trust that app! [Research Saturday]”

Overview

Key Discussion Points and Insights

1. Anatomy of the Attack: Microsoft OAuth Impersonation

2. MFA Phishing Explained

3. How the Campaign Works

4. Attack Scale and Effectiveness

5. Trends and Mitigation

6. Recommendations for Organizations

Notable Quotes and Memorable Moments

Key Segment Timestamps

Concluding Thoughts

Summary

Episode Summary: “Don’t trust that app! [Research Saturday]”

Overview

Key Discussion Points and Insights

1. Anatomy of the Attack: Microsoft OAuth Impersonation

2. MFA Phishing Explained

3. How the Campaign Works

4. Attack Scale and Effectiveness

5. Trends and Mitigation

6. Recommendations for Organizations

Notable Quotes and Memorable Moments

Key Segment Timestamps

Concluding Thoughts