Update: Threat Actors Exploit Fake Microsoft OAuth Apps to Steal Credentials
Threat actors are exploiting malicious Microsoft OAuth applications in a series of targeted phishing campaigns designed to bypass MFA and steal login credentials. Proofpoint has tracked over 50 fake applications since early 2025, including those impersonating RingCentral, SharePoint, Adobe, and DocuSign. These campaigns abuse OAuth consent flows, luring users with permission prompts that appear legitimate while redirecting them to attacker-in-the-middle (AiTM) phishing kits. Once victims interact, these kits capture credentials and MFA tokens in real time, enabling account takeovers across hundreds of organizations. Attackers frequently distribute these malicious OAuth app links through emails sent from compromised accounts, using business-themed lures such as contract or quote requests. This approach has proven highly effective, with targeted attacks spanning multiple industries and organizations worldwide. Proofpoint researchers identified infrastructure linked to fake OAuth apps using redirector URLs and phishing pages. These campaigns utilize CAPTCHA challenges and Microsoft-branded login pages customized with organizational Entra ID details to enhance credibility and circumvent automated security defenses. Once authenticated, adversaries harvest session cookies, add malicious MFA methods for persistence, and initiate lateral movement across cloud environments. Tycoon-linked phishing operations have successfully compromised nearly 3,000 accounts across 900 environments in 2025, with Axios-based HTTP traffic and targeted reply URLs serving as key indicators of activity. Microsoft’s planned mid-2025 enforcement of admin consent for third-party apps and deprecation of legacy authentication is expected to reduce exposure, but will not eliminate the threat. To mitigate these attacks, organizations should enforce admin consent for OAuth apps, block legacy authentication, monitor for suspicious consent grants, and implement phishing-resistant MFA FIDO2 security keys.
Threat Actors Exploit Proofpoint and Intermedia Link Wrapping to Conceal Phishing Payloads
Threat actors are increasingly abusing link wrapping services from vendors, including Proofpoint and Intermedia, to disguise phishing payloads behind trusted domains. Link wrapping, designed to protect users by scanning URLs via services, has been repurposed by attackers to bypass reputation-based filtering. Compromised email accounts are leveraged to distribute wrapped links that appear legitimate, boosting the likelihood of user interaction and subsequent credential harvesting. This technique exploits the implicit trust in security vendors, masking malicious intent behind corporate email infrastructure. Campaigns observed by Cloudflare Email Security frequently employ multi-tiered redirect chains, incorporating URL shorteners before routing traffic through wrapped links to evade detection. These steps ultimately direct victims to highly convincing phishing pages that mimic Microsoft 365, Teams, or Zix secure messaging portals. Intermedia-focused campaigns mirror these tactics, with attackers exploiting organizational accounts that automatically wrap outbound emails to create a false sense of legitimacy. Examples include malicious links disguised as voicemail alerts or document-sharing requests, which redirect through multiple layers before reaching phishing landing pages. According to industry data, these attacks drive significant financial and identity-related damages, contributing to over $502 million in email-based fraud losses in 2024 and 1.1 million identity theft reports. Moreover, phishing remains a primary driver of breaches, initiating 67% of reported incidents and fueling a 300% surge in credential theft. To reduce exposure, organizations should implement behavioral detection mechanisms, enforce strict access controls for email accounts, and enable outbound URL rewriting monitoring. Additionally, adopting phishing-resistant authentication, integrating advanced URL scanning solutions with behavioral ML detection, and educating users on wrapped-link exploitation significantly improve resilience against this evolving tactic.
Russian Hackers Exploit ISP-Level Access in AiTM Espionage Campaigns
Microsoft has uncovered a sophisticated espionage campaign orchestrated by Secret Blizzard (also known as Turla, Waterbug, and Venomous Bear), a group linked to Russia's Federal Security Service (FSB). The campaign leverages adversary-in-the-middle (AiTM) positioning at the internet service provider (ISP) level to compromise diplomatic missions operating in Moscow. Attackers redirect victims to malicious captive portals, tricking them into downloading ApolloShadow malware disguised as a legitimate Kaspersky antivirus installer. Once installed, ApolloShadow adds a rogue trusted root certificate, enabling the interception of encrypted traffic and prolonged access to high-value systems. Microsoft has confirmed that this marks the first time Turla has been observed conducting ISP-level operations, significantly amplifying its ability to surveil foreign embassies and sensitive entities operating in Russia. The campaign, which has been active since at least 2024, also appears to utilize Russia’s lawful interception infrastructure, including the System for Operative Investigative Activities (SORM), to enhance its targeting capabilities. Turla’s historical track record demonstrates its resourcefulness and persistence, including its use of hijacked Iranian APT OilRig infrastructure and the Snake P2P malware network, which was dismantled by global intelligence agencies in 2023. Recent attacks linked to the group include intrusions against U.S. defense agencies, NASA, EU ministries of foreign affairs, and other diplomatic missions in high geopolitical interest regions. This ISP-level AiTM approach introduces a new level of stealth, allowing attackers to bypass both perimeter defenses and endpoint detection solutions by controlling network-level trust. ApolloShadow’s ability to install a fraudulent certificate enables Turla to impersonate trusted services and conduct long-term credential theft. Foreign missions relying on local internet providers in Moscow are therefore at an extreme risk of persistent surveillance and unauthorized access. To reduce exposure, organizations should establish hardened VPNs, enforce certificate pinning, adopt out-of-band communication for sensitive operations, and implement phishing-resistant MFA to counter AiTM interception.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
