TRENDING TOPICS AUGUST 01, 2025

Update: Threat Actors Exploit Fake Microsoft OAuth Apps to Steal Credentials 

Threat actors are exploiting malicious Microsoft OAuth applications in a series of targeted phishing campaigns designed to bypass MFA and steal login credentials. Proofpoint has tracked over 50 fake applications since early 2025, including those impersonating RingCentral, SharePoint, Adobe, and DocuSign. These campaigns abuse OAuth consent flows, luring users with permission prompts that appear legitimate while redirecting them to attacker-in-the-middle (AiTM) phishing kits. Once victims interact, these kits capture credentials and MFA tokens in real time, enabling account takeovers across hundreds of organizations. Attackers frequently distribute these malicious OAuth app links through emails sent from compromised accounts, using business-themed lures such as contract or quote requests. This approach has proven highly effective, with targeted attacks spanning multiple industries and organizations worldwide. Proofpoint researchers identified infrastructure linked to fake OAuth apps using redirector URLs and phishing pages. These campaigns utilize CAPTCHA challenges and Microsoft-branded login pages customized with organizational Entra ID details to enhance credibility and circumvent automated security defenses. Once authenticated, adversaries harvest session cookies, add malicious MFA methods for persistence, and initiate lateral movement across cloud environments. Tycoon-linked phishing operations have successfully compromised nearly 3,000 accounts across 900 environments in 2025, with Axios-based HTTP traffic and targeted reply URLs serving as key indicators of activity. Microsoft’s planned mid-2025 enforcement of admin consent for third-party apps and deprecation of legacy authentication is expected to reduce exposure, but will not eliminate the threat. To mitigate these attacks, organizations should enforce admin consent for OAuth apps, block legacy authentication, monitor for suspicious consent grants, and implement phishing-resistant MFA FIDO2 security keys. 

Threat actors are increasingly abusing link wrapping services from vendors, including Proofpoint and Intermedia, to disguise phishing payloads behind trusted domains. Link wrapping, designed to protect users by scanning URLs via services, has been repurposed by attackers to bypass reputation-based filtering. Compromised email accounts are leveraged to distribute wrapped links that appear legitimate, boosting the likelihood of user interaction and subsequent credential harvesting. This technique exploits the implicit trust in security vendors, masking malicious intent behind corporate email infrastructure. Campaigns observed by Cloudflare Email Security frequently employ multi-tiered redirect chains, incorporating URL shorteners before routing traffic through wrapped links to evade detection. These steps ultimately direct victims to highly convincing phishing pages that mimic Microsoft 365, Teams, or Zix secure messaging portals. Intermedia-focused campaigns mirror these tactics, with attackers exploiting organizational accounts that automatically wrap outbound emails to create a false sense of legitimacy. Examples include malicious links disguised as voicemail alerts or document-sharing requests, which redirect through multiple layers before reaching phishing landing pages. According to industry data, these attacks drive significant financial and identity-related damages, contributing to over $502 million in email-based fraud losses in 2024 and 1.1 million identity theft reports. Moreover, phishing remains a primary driver of breaches, initiating 67% of reported incidents and fueling a 300% surge in credential theft. To reduce exposure, organizations should implement behavioral detection mechanisms, enforce strict access controls for email accounts, and enable outbound URL rewriting monitoring. Additionally, adopting phishing-resistant authentication, integrating advanced URL scanning solutions with behavioral ML detection, and educating users on wrapped-link exploitation significantly improve resilience against this evolving tactic. 

Russian Hackers Exploit ISP-Level Access in AiTM Espionage Campaigns 

Microsoft has uncovered a sophisticated espionage campaign orchestrated by Secret Blizzard (also known as Turla, Waterbug, and Venomous Bear), a group linked to Russia's Federal Security Service (FSB). The campaign leverages adversary-in-the-middle (AiTM) positioning at the internet service provider (ISP) level to compromise diplomatic missions operating in Moscow. Attackers redirect victims to malicious captive portals, tricking them into downloading ApolloShadow malware disguised as a legitimate Kaspersky antivirus installer. Once installed, ApolloShadow adds a rogue trusted root certificate, enabling the interception of encrypted traffic and prolonged access to high-value systems. Microsoft has confirmed that this marks the first time Turla has been observed conducting ISP-level operations, significantly amplifying its ability to surveil foreign embassies and sensitive entities operating in Russia. The campaign, which has been active since at least 2024, also appears to utilize Russia’s lawful interception infrastructure, including the System for Operative Investigative Activities (SORM), to enhance its targeting capabilities. Turla’s historical track record demonstrates its resourcefulness and persistence, including its use of hijacked Iranian APT OilRig infrastructure and the Snake P2P malware network, which was dismantled by global intelligence agencies in 2023. Recent attacks linked to the group include intrusions against U.S. defense agencies, NASA, EU ministries of foreign affairs, and other diplomatic missions in high geopolitical interest regions. This ISP-level AiTM approach introduces a new level of stealth, allowing attackers to bypass both perimeter defenses and endpoint detection solutions by controlling network-level trust. ApolloShadow’s ability to install a fraudulent certificate enables Turla to impersonate trusted services and conduct long-term credential theft. Foreign missions relying on local internet providers in Moscow are therefore at an extreme risk of persistent surveillance and unauthorized access. To reduce exposure, organizations should establish hardened VPNs, enforce certificate pinning, adopt out-of-band communication for sensitive operations, and implement phishing-resistant MFA to counter AiTM interception. 

Top CVEs of the Week 

Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.   

CVE Security Vulnerability Dashboard
CVE-2025-5777
Critical
Citrix NetScaler ADC/Gateway
EXPLOITED IN WILD
An out-of-bounds memory read vulnerability in NetScaler ADC and Gateway can expose sensitive data when used as a Gateway or AAA virtual server. This flaw has been actively targeted in the wild, making prompt remediation critical.
Urgent Action Required: Citrix patched this vulnerability in versions 14.147.46, 13.159.19, and related builds. Immediate patching is essential due to active exploitation.
CVE-2025-54309
Critical
CrushFTP
EXPLOITED IN WILD
CrushFTP versions 10.8.5 and 11.3.4_23 allow admin takeover via AS2 validation flaws, which were exploited in the wild. Successful attacks can provide full administrative access and enable complete data exfiltration from affected systems.
Remediation: Fixed in versions 10.8.5_12 and 11.3.4_26. Organizations should upgrade immediately and audit for any unauthorized administrative access.
CVE-2025-27210
High
Node.js
An incomplete fix for CVE-2025-23084 in Node.js allows Windows path traversal using reserved device names like CON and AUX. This vulnerability could enable file overwrite or unexpected behavior on affected Windows systems running Node.js applications.
Remediation: Patched in Node.js versions 20.19.4, 22.17.1, and 24.4.1. Windows-based Node.js deployments should be updated immediately to prevent path traversal attacks.
3
Total CVEs
2
Critical Severity
2
Active Exploitation
100%
Patches Available
💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.