Cybercriminals are deploying malicious Microsoft OAuth Apps disguised as Adobe and DocuSign apps to distribute malware and steal Microsoft 365 credentials.
Proofpoint researchers uncovered these campaigns, describing them as highly targeted attacks in a security advisory shared on X (formerly Twitter). The fraudulent OAuth apps mimic legitimate services, such as Adobe Drive, Adobe Drive X, Adobe Acrobat, and DocuSign, making them harder to detect.
How the Attack Works
The attackers craft phishing emails that originate from compromised email accounts, particularly from charities and small businesses likely using breached Office 365 accounts. These emails are sent to victims across government, healthcare, supply chain, and retail sectors in both the United States and Europe. The attackers often use Request for Proposal (RFP) and contract-related lures to manipulate targets into interacting with malicious links.
Once the victim grants permissions to the OAuth apps, attackers gain access to specific user data, including:
- profile – Full name, user ID, profile picture, and username
- email – Primary email address (without inbox access)
- openid – Verifies user identity and retrieves Microsoft account details
While these permissions may appear limited, attackers can leverage them for further targeted attacks. Upon gaining access, victims are redirected through multiple malicious sites, ultimately leading them to:
- Phishing pages designed to steal Microsoft 365 credentials
- Malware payloads deployed via drive-by downloads
Proofpoint analysts observed that in some cases, attackers redirected victims to a fake Office 365 login page, hosted on a malicious domain. Within a minute of authorization, suspicious login activity was detected on the compromised account.
Prevention and Security Recommendations
This attack method is not new, as similar OAuth-based threats have been reported over the past few years. However, it underscores the ongoing effectiveness of OAuth app abuse for hijacking Microsoft 365 accounts without directly stealing passwords.
To protect against these attacks, users and administrators should take the following steps:
- Verify OAuth App Requests – Always review and confirm the legitimacy of any app requesting permissions.
- Monitor Approved Apps – Visit Microsoft My Apps → Manage Your Apps → Revoke any unrecognized OAuth applications.
- Restrict OAuth Permissions – Microsoft 365 administrators can disable third-party app consent via:
- Enterprise Applications → Consent and Permissions → Set ‘Users can consent to apps’ to ‘No’.
By implementing these security measures, organizations can minimize the risks posed by malicious OAuth applications and better protect their Microsoft 365 environments from unauthorized access and credential theft.
