This post is also available in:
עברית (Hebrew)
A new wave of phishing attacks has been exploiting Microsoft 365 environments, successfully bypassing even two-factor authentication (2FA) in many cases. According to cybersecurity firm Proofpoint, attackers have compromised nearly 3,000 accounts across more than 900 organizations since the start of 2025, with an alarming success rate of over 50%.
The technique centers on abuse of Microsoft’s OAuth framework, a legitimate login mechanism that allows third-party applications to access user accounts without passwords. Threat actors have been deploying dozens of malicious applications posing as well-known services such as Adobe, DocuSign, and SharePoint. These apps request seemingly benign permissions—such as access to basic profile information—but are configured to redirect users to phishing pages after login.
The initial attack begins with phishing emails that often appear to come from trusted sources, including compromised corporate accounts. The messages are tailored to mimic industry-specific communication, typically involving quote requests or contract discussions. Once the recipient clicks a link, they are directed to Microsoft’s legitimate OAuth consent page. The user is then asked to approve access to the malicious app.
Whether users click “Accept” or “Cancel,” they are still redirected—first to a CAPTCHA page and then to a fake Microsoft login screen. This is where the actual credentials and session tokens are harvested, allowing attackers to hijack accounts in real time. These session cookies enable attackers to bypass even active 2FA protections, maintaining access without needing repeated verification.
To curb the threat, Microsoft is introducing changes to default security policies. Going forward, users will no longer be able to authorize third-party applications without administrator approval, limiting unauthorized app-based access.
This type of attack highlights a growing trend in identity-based threats, where attackers rely less on stealing passwords and more on manipulating trusted login flows. Organizations are advised to closely monitor app permissions and educate users to verify domain authenticity before granting access.
