Fake OAuth apps and Tycoon toolkit used to breach M365 accounts
Recently, cybersecurity researchers disclosed a new wave of attacks spreading globally, targeting Microsoft’s cloud productivity platform, Microsoft 365. These attacks are not only novel and highly sophisticated, but also capable of bypassing traditional security measures such as multi-factor authentication (MFA). Once a user is compromised, attackers can gain long-term control of their accounts and continuously access sensitive information within the enterprise.
Background and characteristics of the attack
Attackers first create corporate identities, register fake application on Microsoft and deploy the applications in ordert to obtain user authorisation tokens. These fake applications are disguised as popular SaaS apps and enterprise services (RingCentral, SharePoint, Adobe, DocuSign, etc) so the victims think they are granting permission to authorized applications.
Unlike traditional phishing attacks that rely on email attachments or malicious links, this type of attack leverages the legitimate authorisation process of the OAuth protocol, making it nearly impossible to trigger traditional security gateway interception mechanisms. Additionally, the attack chain incorporates phishing tools like Tycoon and ODx, specifically designed for ‘man-in-the-middle attacks’ (AiTM), which insert a malicious proxy between the user and Microsoft servers to intercept user credentials and MFA verification codes. This wave of attack activity can be traced back to early 2025 and remains active to this day. Due to its stealth and persistence, it has already drawn the heightened vigilance of multiple security vendors and enterprise security teams.
Detailed explanation of the attack process
1. Email phishing
The attack chain begins with a phishing email disguised as a ‘request for quotation (RFQ)’ or ‘commercial contract agreement.’ These emails are often sent from real email accounts that have been compromised, and may even use the original company's signature and historical communication records, making them highly credible. Victims are directed to click on the authorised link in the email.
2. Fake OAuth authorisation page
The link points to a fake Microsoft OAuth authorisation page, such as an application called ‘iLSMART’. This application requests access to the user's basic account information and requires continuous access permissions. The real iLSMART is a platform that provides services to the aviation, marine and defence accessories industries, so the fake version is highly credible.
3. CAPTCHA verification and redirection
Regardless of whether users agree to authorise the login, they will first see a CAPTCHA verification page to create a sense of security. The page will then redirect to a Microsoft login interface that looks almost identical.
4. Man-in-the-middle certificate theft (AiTM attack)
In this fake login interface, attackers use Tycoon or ODx tools to perform real-time man-in-the-middle attacks, capturing the victim's username, password, and MFA dynamic verification code. This allows attackers to instantly log into the victim's account and use long-term valid OAuth refresh tokens to maintain access privileges.
Microsoft's response
To address the growing threat of OAuth abuse, Microsoft will gradually upgrade its default security policies starting in June 2025, including:
1- Blocking outdated authentication protocols to reduce the possibility of bypassing security measures;
2- Requiring administrator approval for third-party application access requests to prevent users from authorising untrusted applications on their own.
These measures will be implemented in phases starting in mid-July and are expected to be fully deployed by August 2025. Security experts believe this will significantly enhance enterprises’ ability to defend against OAuth risks.
Sinokap Safety Recommendations
In past projects, Sinokap successfully helped numerous corporate clients identify and eliminate phishing emails and malware. These case studies highlight our expertise in addressing information security threats:
1. Phishing Email Prevention
We regularly assist clients in identifying and dealing with several network attacks caused by employees mistakenly opening phishing emails. Through rapid response and blocking of malicious links, we ensure that company data remains secure. Additionally, we provide phishing email recognition training for employees to reduce the occurrence of similar incidents in the future.
2. Malware Removal Quick Guide
Sinokap helps companies quickly clean infected devices, restoring normal business operations. We also conduct regular security drills and training to raise employee awareness of various cyberattacks.
The combination of fake OAuth applications and man-in-the-middle phishing tools marks another major evolution in the methods used to attack cloud-based office platforms. For companies that rely heavily on SaaS platforms such as Microsoft 365, this is not only a technical battle, but also a contest of security awareness. Not only have we helped clients effectively respond to urgent security issues, but we also provide long-term information security solutions. Sinokap’s IT outsourcing services and information security expert team are always by your side, ensuring the safety of your business data and operations.
If you have any questions regarding corporate network security or IT support, feel free to contact us to learn more about our professional IT outsourcing services.
Table of Contents
What We Provide
Managed IT Service
How can we help you?
Call Us, Write Us, Or Knock On Our Door. We are here to help. Thanks for contacting us!
Recent Posts
