At the beginning of 2025, cybersecurity company Proofpoint released new figures showing a dramatic increase in tactics to compromise Microsoft 365 accounts. A complicated, class-based phishing campaign that started in early November 2024 led to the compromise of almost 3,000 user accounts. These accounts are used globally across more than 900 Microsoft 365 environments. The campaign mainly targeted companies in France, Luxembourg, Belgium, and Germany, using spoofed OAuth applications to steal access tokens.
In an effort to safeguard against these vulnerabilities, Microsoft is focusing on security and reducing attack surfaces by changing default settings in its platforms. We hope to complete these improvements by August 2025. Specifically, they’ll block all legacy authentication protocols and demand that third-party app access requires administrative consent. This initiative is just one step within a larger initiative to better shore up users from the growingly creative attack tactics that cybercriminals use every day.
The Nature of the Phishing Campaign
Proofpoint’s research found that this phishing campaign used emails impersonizing Adobe, sent through Twilio SendGrid. For each of the user roles, the attackers’ goal was to either fool users into providing authorization or redirecting them to phishing pages using cancellation flows. Over 50 unique impersonated applications were utilized over multiple mass email campaigns. One notable case is FleetDeck RMM, which served as the threat actor’s malicious remote management software in these incidents.
Spam campaigns linked to this threat have been creatively obfuscating installation links in PDF files. We’ve seen these documents in the form of invoices, contracts and real estate property listings. They enhance credibility and lure victims into clicking on links embedded within.
“These PDFs are often disguised to look like invoices, contracts, or property listings to enhance credibility and lure victims into clicking the embedded link.” – WithSecure
It’s a tactic used to get around traditional email and malware protections that organizations tend to have in place.
Ongoing Threat Landscape
This time, the ongoing phishing campaign is simply a reminder of a larger and equally concerning trend emerging in the cybersecurity landscape. I have learned that threat actors are always changing how they attack. In doing so, they look to evade detection mechanisms and penetrate institutions worldwide.
Tycoon and ODx phishing kits have allowed cyber criminals to run MFA phishing at scale. These kits serve as gateways for unauthorized access to users’ Microsoft 365 accounts, representing a significant risk for businesses relying on these platforms for daily operations.
“Threat actors are creating increasingly innovative attack chains in an attempt to bypass detections and obtain access to organizations globally.” – Proofpoint
In light of such threats, Microsoft’s forthcoming changes are expected to help strengthen user security and lower overall risk.
Implications of Microsoft’s Security Update
Microsoft’s upcoming changes are likely to be seismic for the entire security ecosystem. By blocking legacy authentication protocols and requiring admin consent for third-party app access, the company aims to hinder threat actors who exploit these weaknesses.
“This update will have a positive impact on the landscape overall and will hamstring threat actors that use this technique.” – Proofpoint
Even legitimate applications request permissions that appear innocuous on their face. These permissions are often enough to allow attackers to execute later stages of a multi-stage attack. Microsoft is leading the way in stopping the escalating identity-targeted attack trend. Proofpoint forecasts that these types of attacks are about to become the new normal in the criminal underworld.
“Anticipates threat actors will increasingly target users’ identity, with AiTM credential phishing becoming the criminal industry standard.” – Proofpoint