Microsoft 365 OAuth attack incidents have surged in recent years, making the platform one of the major targets for cybercriminals. Microsoft’s 2024 Digital Defense Report states that over 600 million cyberattacks occur daily, covering threats such as ransomware, phishing, and identity-based attacks. Between July 2023 and June 2024, human-operated ransomware incidents increased by 275%, showing how attackers are refining their tactics. Research also indicates that 85% of organizations using Microsoft 365 experienced security breaches, proving how widespread these threats have become. With cybercriminals now leveraging OAuth-based attacks to bypass traditional security measures, businesses must rethink their approach to protecting user accounts.

Cybercriminals have found a new way to infiltrate Microsoft 365 accounts—without stealing passwords. Instead, they are using fake Adobe and DocuSign OAuth applications to trick users into granting access to their accounts. This sophisticated attack, uncovered by researchers at Proofpoint, is part of a growing trend in which attackers exploit authentication systems to bypass traditional security measures.

Organizations across the U.S. and Europe, particularly in government, healthcare, supply chain, and retail industries, have been targeted. The attack is designed to appear legitimate, making it even more dangerous for unsuspecting users.

How the Attack Works

This isn’t your typical phishing scam. Instead of tricking users into entering their passwords, cybercriminals exploit OAuth permissions, allowing them to gain access even if the user changes their password later. Here’s how it unfolds

Step 1 The Phishing Email

• The attack begins with an email that appears to come from a trusted business contact.
• The sender’s account is often a compromised charity or small business, making the message look even more credible.
• The email urges the recipient to review a business proposal, contract, or invoice—a common tactic used in business email compromise (BEC) scams.

Step 2 Fake OAuth Applications Masquerading as Adobe & DocuSign

• The email includes a link directing the user to an authentication request for a seemingly legitimate application.
• These fake applications impersonate well-known tools like
  • Adobe Drive
  • Adobe Drive X
  • Adobe Acrobat
  • DocuSign
• Since these are widely used in professional settings, most users don’t think twice before granting access.

Step 3 OAuth Token Permissions

• When a user approves the OAuth request, they unknowingly grant access to their Microsoft 365 account.
• Unlike traditional phishing, no password is required—the attacker gains access through an OAuth token.
• The rogue app requests permissions to access
  • User profiles – Full name, profile picture, and user ID
  • Email addresses – Primary email details
  • OpenID authentication – Allowing attackers to validate Microsoft account identities

Step 4 Exploiting the Access

• Once the attacker gains access, they can
  • Harvest personal and corporate data for future attacks.
  • Use the compromised account to send phishing emails to colleagues or clients.
  • Monitor internal communications and plan more sophisticated attacks.

What makes this attack particularly dangerous is its persistence. Since OAuth tokens remain valid even after a password reset, users won’t realize they’re compromised unless they check their authorized apps.

Why OAuth-Based Attacks Are More Dangerous Than Traditional Phishing

Traditional phishing typically aims to steal usernames and passwords, allowing attackers to log into accounts directly. However, OAuth-based attacks exploit authentication processes, making them harder to detect and mitigate. Here’s why they’re even more dangerous:

 No Passwords Are Stolen, Making Detection Harder

• In a regular phishing attack, security teams can respond by resetting passwords.
• With OAuth attacks, changing a password does nothing because the attacker already has a valid access token.
• OAuth tokens remain active for extended periods, often until manually revoked, allowing attackers to persist undetected.

OAuth Can Bypass Multi-Factor Authentication (MFA)

• Since OAuth tokens authenticate directly with Microsoft 365, MFA protections are bypassed entirely.
• Even if a company enforces MFA, it won’t block an attacker who has already obtained OAuth access.

Persistent Access Even After Incident Response

• A password reset stops a credential-based attack but not an OAuth attack.
• If IT teams fail to review authorized applications, the attacker retains access for days, weeks, or even months without being noticed.

OAuth Attacks Exploit Trust in Third-Party Apps

• Businesses often rely on third-party applications for productivity, document signing, and cloud integrations.
• Many employees approve OAuth permissions without questioning legitimacy, assuming IT or Microsoft has already vetted the app.
• Attackers exploit this trust, making users unknowingly grant access to malicious apps.

Easier to Automate & Scale for Mass Attacks

• OAuth-based attacks can be automated, allowing hackers to target thousands of users simultaneously with phishing emails.
• Unlike credential phishing, which requires manually testing stolen passwords, OAuth tokens instantly provide access once granted.
• This makes OAuth an effective tool for large-scale corporate espionage, supply chain attacks, and email account takeovers.

Attackers Can Expand Their Reach Inside an Organization

• Once inside an account, attackers can:
  • Read sensitive corporate emails and files.
  • Send phishing emails from the compromised account to other employees, clients, or partners.
  • Grant additional permissions to other apps, making their foothold stronger.
• In contrast, traditional phishing attacks often stop at the initial breach, whereas OAuth-based attacks allow attackers to stay undetected and escalate their privileges.

Difficult for Security Teams to Monitor & Block

• Many security tools focus on monitoring logins and detecting unusual sign-in behavior.
• Since OAuth tokens don’t trigger a typical login event, security solutions may not detect unauthorized access.
• IT teams must manually review app permissions and usage logs to uncover these attacks, which many organizations fail to do regularly.

Who Is Being Targeted?

Cybercriminals behind this attack are focusing on organizations that heavily rely on document management and electronic signatures, making their fake Adobe and DocuSign apps more convincing. The primary targets include:

• Government Agencies – These organizations manage confidential data, contracts, and national security-related communications, making them a high-value target.
• Healthcare Organizations – Hospitals, clinics, and medical research firms store patient records and sensitive health data, which can be exploited for fraud or ransomware attacks.
• Retail & Supply Chain Companies – Attackers can disrupt inventory management, vendor communications, and financial transactions through unauthorized account access.
• Legal & Financial Firms – Law offices, banks, and investment firms rely on digital document processing, making them susceptible to contract and payment fraud.
• Educational Institutions – Universities and research organizations handle intellectual property, student records, and grant information, which are valuable to cybercriminals.
• Tech Companies & Startups – These organizations use multiple third-party applications and cloud-based tools, increasing the risk of OAuth-based attacks slipping through security gaps.

Since the phishing emails disguise themselves as business-related proposals, invoices, or contracts, industries that frequently handle digital agreements are more likely to fall for the scam.

How to Protect Your Microsoft 365 Account

OAuth-based attacks are difficult to detect, but there are steps both individual users and IT administrators can take to reduce the risk.

For Individual Users

Think Before Approving OAuth Requests – If an app requests access to your Microsoft account, double-check its legitimacy. If something feels off, deny access.
Review Your Connected Apps Regularly – Visit Microsoft My Apps and revoke permissions for any app you don’t recognize.
Enable Multi-Factor Authentication (MFA) – While MFA won’t stop an OAuth attack, it can prevent attackers from gaining access to other systems linked to your account.

For IT Administrators

Restrict Third-Party OAuth App Approvals – Adjust Microsoft Entra ID (formerly Azure AD) settings to limit which users can approve OAuth applications.
Monitor Unusual OAuth Activity – Regularly check the Enterprise Applications logs in Microsoft Entra ID for unauthorized app approvals.
Use Conditional Access Policies – Block OAuth-based authentication requests from unknown locations or unusual devices.

Many organizations don’t actively monitor OAuth permissions, making it easier for attackers to slip through unnoticed. Implementing strict access policies and user training can significantly reduce the risk.

The Growing Trend of OAuth Exploits

OAuth-based attacks are becoming more common because they allow cybercriminals to bypass traditional login security. Similar methods have been used in attacks against Google and Microsoft cloud services, signaling a broader shift in how cybercriminals operate.

Organizations that rely heavily on cloud-based applications must treat OAuth security as seriously as they do password security. Regular reviews of app permissions and clear policies on third-party integrations can help prevent unauthorized access.

What This Means for the Future

As attackers continue to refine their methods, businesses and individuals need to rethink their approach to cybersecurity. OAuth-based threats highlight a major gap in traditional security practices, one that organizations must address before it becomes a larger issue. OAuth-based attacks are stealthy, persistent, and highly scalable, making them a preferred method for cybercriminals. They bypass traditional security measures and can allow attackers to remain in corporate networks for months without detection. Businesses and individuals must treat OAuth security as seriously as password security—or risk exposing their accounts indefinitely.

If you haven’t reviewed your app permissions lately, now is the time. Are you sure every app connected to your Microsoft 365 account is legitimate?