Fake OAuth apps: the latest con trick against Microsoft 365 users
Threat actors are using fake Microsoft 365 OAuth apps, spoofing brands like RingCentral, SharePoint and Adobe, to trick users into granting access to their accounts. The crooks combine the bogus apps with Tycoon Phishing-as-a-Service kits, redirecting victims through a CAPTCHA and then an adversary-in-the-middle page that nabs credentials and MFA codes. Proofpoint spotted 50+ spoofed apps, nearly 3 000 takeover attempts and 900 tenant targets so far in 2025. Microsoft plans to tighten default settings by August 2025, forcing admin consent and blocking legacy auth; vendors hope this will hobble the scheme.
Imagine signing into “SharePoint” only to discover it’s a cardboard cut-out. That’s exactly what’s happening thanks to a new crop of bogus Microsoft OAuth applications whipping around corporate inboxes.
How the scam works
1. Phishing email lands in your inbox, allegedly a new RFQ or contract.
2. Click and you’re shuttled to a Microsoft permissions page for an app called iLSMART (or RingCentral, Adobe, take your pick).
3. Whether you grant access or politely decline, you still end up on a fake Microsoft login that swipes your password and MFA code using the Tycoon AiTM kit.
Why it matters
• More than 50 fake apps spotted since January.
• 3 000 accounts, 900 tenants prodded already.
• Attackers only need one gullible click to binge on emails, OneDrive files and everything in Teams.
Microsoft’s counter-move
Redmond says it will block legacy auth and demand admin consent for third-party apps by August. Good news for defenders; bad news for Tycoon’s customer-base.
Staying safe
• Treat unexpected “permission” prompts like you would a stranger asking for your car keys.
• Use publisher verification and conditional access.
• Security teams: monitor for new enterprise apps that appear without change tickets—then boot them into space.