Cybercriminals are using deceptive Microsoft OAuth apps disguised as Adobe and DocuSign tools to spread malware and steal Microsoft 365 account credentials.
Proofpoint researchers uncovered these highly targeted campaigns, where malicious apps mimic Adobe Drive, Adobe Acrobat, and DocuSign to gain access to user profile data, email addresses, and account details.
The phishing emails originate from compromised small businesses and charities, particularly in the U.S. and Europe, targeting sectors like healthcare, government, retail, and supply chains.
Attackers trick victims into granting limited permissions, which then lead them to phishing pages or malware downloads designed to compromise their Microsoft 365 accounts.
In some cases, victims were redirected to fake Office 365 login pages, and suspicious login activity was detected within a minute of authorization.
While Proofpoint couldn't determine the exact malware used, they noted attackers employed the ClickFix social engineering technique, a method gaining popularity over the past year.
These attacks show that OAuth apps remain a viable method for account takeover without directly stealing passwords, similar to past incidents.
Users should be cautious when granting OAuth permissions, review their approved apps via Microsoft's 'My Apps' portal, and administrators can restrict third-party app approvals in Enterprise settings.
Logging you in...
Loading IntenseDebate Comments...