Cybercriminals are employing a sophisticated new tactic, creating fake Microsoft OAuth applications to impersonate legitimate businesses and bypass multi-factor authentication (MFA). This method, leveraging the Tycoon phishing kit, allows attackers to steal credentials and session cookies in real-time, leading to account takeovers. Researchers have observed over 50 impersonated applications, targeting a wide range of industries.

The Tycoon Kit and OAuth Exploitation

The Tycoon phishing-as-a-service (PhaaS) platform is at the heart of these attacks. Threat actors create malicious OAuth applications within Microsoft's identity platform, which then impersonate well-known services like RingCentral, SharePoint, Adobe, and DocuSign. These fake applications request seemingly benign permissions, such as viewing basic user profiles. However, regardless of whether a user grants or denies these permissions, they are redirected to a counterfeit Microsoft login page. This page, powered by an attacker-in-the-middle (AiTM) technique, intercepts not only credentials but also MFA tokens, enabling account compromise.

Key Takeaways

• Impersonation of Trusted Brands: Attackers create fake Microsoft OAuth apps mimicking popular services to gain user trust.

• MFA Bypass: The use of AiTM phishing kits like Tycoon allows for the interception of MFA tokens, effectively bypassing security measures.

• Credential and Session Token Theft: The phishing pages are designed to harvest both login credentials and active session cookies.

• Widespread Impact: Campaigns have targeted thousands of accounts across hundreds of organizations, with a notable success rate.

• Microsoft's Countermeasures: Microsoft is implementing changes to block legacy authentication and require admin consent for third-party apps, expected to mitigate this threat.

Attack Chain and Techniques

The attack typically begins with phishing emails, often sent from compromised accounts, using lures related to business requests like quotes or contracts. These emails contain links that lead victims to the malicious OAuth application consent page. Even if the user cancels the request, they are often redirected to a CAPTCHA challenge to filter out bots, followed by the fake Microsoft login page. The Tycoon kit uses WebSockets for efficient data exfiltration and employs techniques to evade detection, such as delaying resource loading and using pseudorandom URL names.

Scale and Evolution of the Threat

Proofpoint researchers have tracked this activity since early 2025, identifying over 50 impersonated applications. In one observed campaign, nearly 3,000 user accounts across more than 900 Microsoft 365 environments were affected, with a success rate exceeding 50%. The Tycoon 2FA kit has seen continuous development, with newer versions being stealthier and more effective at blocking bots and analytical tools. The financial gains for the operators are substantial, with one Bitcoin wallet linked to the service accumulating hundreds of thousands of dollars.

Defensive Measures and Microsoft's Response

To combat these sophisticated attacks, security experts recommend implementing robust email security, cloud security monitoring for account takeovers, and web isolation. User awareness training is crucial, as is the adoption of stronger authentication methods like FIDO-based security keys. Microsoft has announced upcoming changes to its Microsoft 365 default settings, including blocking legacy authentication and requiring admin consent for third-party app access, which are expected to significantly hinder this attack vector once fully implemented by August 2025.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Threat Actors Impersonate Microsoft OAuth Apps to Steal Login Credentials, GBHackers News.

• New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts, BleepingComputer.

• Cybercriminals Exploit Microsoft OAuth Apps to Harvest Login Credentials, Cyber Press.

• Attackers Use Fake OAuth Apps with Tycoon Kit to Breach Microsoft 365 Accounts, The Hacker News.

• Cybercrooks faked Microsoft OAuth apps for MFA phishing, CSO Online.