CyberWire Daily Don’t trust that app! [Research Saturday]
9 snips
Sep 6, 2025 Selena Larson, co-host of Only Malware in the Building and a Lead Threat Researcher at Proofpoint, dives into the alarming rise of Microsoft OAuth app impersonation campaigns. These sophisticated attacks target users by mimicking trusted services like Adobe and SharePoint, leading to MFA phishing. Larson explains how cybercriminals capture sensitive information through fake login pages, highlighting the importance of user education and vigilance. She also discusses Microsoft’s impending security updates to combat these threats, making cybersecurity awareness paramount.
AI Snips
Chapters
Transcript
Episode notes
MFA Phishing Targets Tokens Not Just Passwords
- MFA phishing captures both credentials and the additional authentication token to bypass multi-factor protections.
- Threat actors adapted because widespread MFA adoption forced them to target identity and session tokens directly.
OAuth Consent Used As Phishing Vector
- Threat actors use fake Microsoft OAuth app consent screens as a vehicle to funnel victims into credential phishing flows.
- The OAuth consent step looks familiar to users, which helps convince them to proceed to the fake login and MFA capture.
Train Users To Verify URLs And Browser Bars
- Teach users to verify URLs and hover over links before clicking to spot fake Microsoft pages.
- Emphasize checking the browser address bar because the landing pages often mimic Microsoft branding but use illegitimate domains.