On this page:
Attack Spotlight
March 20, 2025
Limited scope Microsoft OAuth request used to blend in as legitimate traffic, redirecting the user to an AITM credential phishing site
Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.
EMAIL PROVIDER: Microsoft 365
ATTACK TYPE: Credential Phishing
Sublime has recently detected a wave of credential phishing attacks that use Microsoft apps to hide malicious, adversary in the middle (AITM) URLs. This is a clever evasion technique since the URL in the message is a legitimate Microsoft OAuth URL.
Our research gives us reason to believe that these attacks are part of a long-running, international campaign. Let’s look at one of the messages from the campaigns to see how it works.
Fake password resets have become a popular method for delivering attacks. It’s one reason why our machine learning-powered Topic Modeling function has a Security and Authentication topic to categorize messages about account security, password resets, 2FA, login alerts, and more.
This attack starts with a password reset message from a “Teams Administrator”.
If the target clicks on the Submit this code link (located directly beneath an official-looking 2FA code), they are taken to an actual Microsoft login screen.
Looking at the URL, we can see that this is more than just a login. It contains a long, encrypted ctx
value, as well as a session_id
value.
If the target supplies their credentials – a process that never requests the 6-digit auth code from the email – they are redirected to a permissions page for a Microsoft app. The app features an Adobe logo and requests consent for a minimal amount of access. Notably, it does not include any mail read/write access, which we've seen before in the past with Microsoft OAuth phishing:
Inspecting the app info, we can see the Reply URLs point to suspicious sites.
Clicking Accept then redirects the user to a Cloudflare Turnstile.
Then the user is directed to a new login page for the AITM credential phishing attack.
At this point, the target may assume that they need to log back in after providing access to the Microsoft app featuring the Adobe logo. Should they log back in, the attacker will get their login credentials as well as their session ID.
By using the Microsoft app as the redirect, the attacker is able to use a legitimate Microsoft URL, evading traditional email security controls and lowering suspicions. The redirect doesn’t occur until after a successful login and active consent by the target.
Sublime's AI-powered detection engine prevented this attack. Some of the top signals for this campaign were:
See the full Message Query Language (MQL) that detected these attacks in these publicly available Detection Rules in our Core Feed: Suspicious Office 365 app authorization (OAuth) link and Fake password expiration from new and unsolicited sender.
Sublime detects and prevents credential phishing and other email-based threats. Start your free account today, in the cloud or self-hosted, for out-of-the-box coverage for these types of attacks with the ability to customize their handling for your environment.
Read more Attack Spotlights:
Sublime releases, detections, blogs, events, and more directly to your inbox.
The latest research, attack spotlights, and product updates.
Experience Sublime’s adaptable email security platform and take control of your email environment today.