Cybercriminals are promoting malicious Microsoft OAuth apps that masquerade as Adobe and DocuSign apps to deliver malware and steal Microsoft 365 accounts credentials. The attacks are similar to those reported years ago, indicating that OAuth apps remain an effective way to hijack Microsoft 365 accounts without stealing credentials. Furthermore, once permission is given to the OAuth app, it redirects users to landing pages that display phishing forms to Microsoft 365 credentials or distributed malware. "The victims went through multiple redirections and stages after authorizing O365 OAuth app, until presented with the malware or the phishing page behind," Proofpoint told BleepingComputer. The malicious OAuth apps in this campaign are impersonating Adobe Drive, Adobe Drive X, Adobe Acrobat, and DocuSign. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Proofpoint told BleepingComputer that the phishing campaigns were sent from charities or small companies using compromised email accounts, likely Office 365 accounts. While the privileges from accepting the Microsoft OAuth app only provided limited data to the attackers, the information could still be used for more targeted attacks. To check existing approvals, go to 'My Apps' (myapplications.microsoft.com) → 'Manage your apps' → and revoke any unrecognized apps on that screen.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 16 Mar 2025 15:25:20 +0000