Hackers Use Malicious OAuth Apps to Steal Microsoft 365 Credentials

Cybersecurity experts have sounded the alarm on a new hacking campaign where cybercriminals use fake Adobe and DocuSign OAuth apps to steal Microsoft 365 credentials and spread malware. First discovered by Proofpoint researchers, this campaign was detailed in a thread on X, exposing how attackers exploit trusted platforms to deceive users.

According to Proofpoint’s Threat Insight team, cybercriminals launched their phishing campaign using compromised Office 365 accounts and email addresses from small businesses and charities. Their phishing emails deceive victims into installing malicious OAuth apps disguised as Adobe Drive, Adobe Drive X, Adobe Acrobat, and DocuSign.

OAuth exploits enable highly targeted attacks on key industries

Malicious Microsoft OAuth apps request access to specific permissions, such as profile, email, and OpenID, to evade detection. While these permissions grant attackers only limited data, they can be used to launch highly targeted attacks. Researchers warn that this campaign primarily targets organizations in healthcare, supply chain, retail, and government sectors across the US and Europe.

Once users grant permissions, these malicious apps redirect them to phishing pages designed to steal Microsoft 365 credentials and deploy malware. Researchers found that attackers are using the ClickFix social engineering technique, which tricks victims into running malicious commands. By displaying fake system update alerts or verification prompts, ClickFix deceives users into unknowingly installing malware.

Proofpoint researchers urged that organizations should take steps to protect end users against unsafe OAuth apps. These include limiting app permissions and implementing conditional access policies. Administrators must also frequently audit and review authorized apps as well as restrict users’ permissions to require admin approval for unknown OAuth apps.