“The phishing campaigns leverage multi-factor authentication (MFA) attacker-in-the-middle (AiTM) phishing kits like Tycoon,” researchers added. “Such activity could be used for information gathering, lateral movement, follow-on malware installations, or to conduct additional phishing campaigns from compromised accounts.”
This method is particularly dangerous because OAuth tokens can survive password resets. Even if a compromised user changes their password, attackers can still use the granted permissions to access email, files, and other cloud services until the OAuth token is revoked.
Proofpoint said the campaign abused over 50 trusted brands, including companies like RingCentral, SharePoint, Adobe, and DocuSign.
