Azure users fall victim to phishing scams and account hijacks
In a concerning development, a sophisticated OAuth-based account takeover campaign has been targeting Microsoft Azure environments since early 2025. The campaign, which exploits fake Microsoft OAuth applications to bypass multi-factor authentication (MFA), has affected approximately 500 user accounts in over 200 organizations, according to cybersecurity firm Proofpoint.
The malicious activities carried out by the threat actors in the Microsoft Azure environments include multifactor authentication manipulation, data theft, follow-on phishing attacks, financial fraud, and even the impersonation of enterprise applications such as RingCentral, SharePoint, Adobe, DocuSign, and ILSMart, a notable app related to the aviation, marine, and defense sectors.
The attacks are believed to be motivated by financial gain, with the threat actors using phishing emails containing links to malicious OAuth consent pages to harvest credentials and hijack sessions. They leverage phishing kits like Tycoon and ODx for their nefarious activities.
The campaign abuses OAuth token hijacking and MFA bypass techniques as detailed in the "nOAuth" vulnerability disclosed in June 2025 affecting Microsoft Entra ID (formerly Azure AD). This vulnerability allowed attackers to hijack OAuth tokens and bypass conditional access controls, compromising thousands of SaaS apps relying on Entra ID.
Regarding affected organizations, Proofpoint's report does not disclose a comprehensive victim list but confirms impersonation of widely used enterprise apps, suggesting targeting across industries. The aviation, marine, and defense industries are implicated due to the impersonation of ILSMart.
Post-takeover, the threat actors carry out a range of malicious activities, including continued access to email and cloud data, lateral movement within networks, installation of follow-on malware, conducting additional phishing or business email compromise attacks from compromised accounts, and exploiting permissions granted via OAuth tokens to maintain persistence. Forged SAML tokens are also used to escalate privileges and access Azure Portal and Microsoft 365 services without additional MFA.
Microsoft responded to these attacks by updating Microsoft 365 settings starting mid-July 2025 to block legacy authentication protocols and require admin consent for third-party app access, measures aimed at mitigating such OAuth-based attacks.
The ongoing account takeover campaign on Microsoft Azure environments comes during a period of heightened scrutiny of Microsoft's internal and external security practices. Proofpoint, in a blog post, attributed the attacks to financially-motivated threat actors, but did not name the organizations impacted by these takeovers.
In response to these attacks and the criticism, Microsoft is overhauling its cybersecurity strategy both inside and outside the company. However, the attacks are ongoing, posing a significant risk for organizations using Microsoft 365 and Azure environments.
References:
- Use of fake OAuth apps impersonating major enterprise apps and MFA phishing: [1][2]
- OAuth token hijacking "nOAuth" vulnerability enabling SaaS compromises: [3]
- Post-compromise malicious activities, privilege escalation techniques: [4][5]
- Microsoft mitigation efforts: [2]
- Attackers are using phishing and cloud account takeover techniques to compromise individual employees' access to their employer's Microsoft Azure system.
- The first signs of this attack were observed in late November, but there has been a substantial increase in the number of incidents during December and January.
- The ongoing account takeover campaign on Microsoft Azure environments, carried out by financially motivated threat actors, involves the use of phishing and cloud account takeover techniques to compromise individual employees' access to their employer's Microsoft Azure system.
- These malicious activities, following the account takeover, include continued access to email and cloud data, lateral movement within networks, installation of follow-on malware, conducting additional phishing or business email compromise attacks from compromised accounts, and exploiting permissions granted via OAuth tokens to maintain persistence.
- The threat actors are leveraging phishing kits like Tycoon and ODx for their nefarious activities, which are believed to be enabled by the "nOAuth" vulnerability disclosed in June 2025, affecting Microsoft Entra ID (formerly Azure AD) and allowing for OAuth token hijacking and MFA bypass techniques.
