A New Wave of Phishing Uses Trusted Logos to Slip Past Defenses

A fresh phishing storm is sweeping across the internet, and it hinges on Microsoft OAuth. Security analysts warn that crooks are posing as well-known brands to sneak malicious cloud apps into corporate Microsoft 365 environments. Once those apps are approved—even by mistake—attackers can raid inboxes, steal files, and kick-start wider breaches. The latest cluster, first picked up in early 2025, shows just how fast criminals adapt and how easy it is for employees to fall for a familiar logo.

Researchers at Proofpoint say the rogue software mimics reputable services like RingCentral, SharePoint, Adobe, and DocuSign. The pitch lands through ordinary email. A seemingly routine message—perhaps a request for a quote or a contract—carries a link that looks harmless. Click it, and the target lands on a real Microsoft consent screen tied to an app named “iLSMART.” The name sounds obscure, yet it borrows credibility from ILSMart, a legitimate marketplace serving aviation and defense companies. The fake app asks for minimal permissions, often just profile details and ongoing access. At first glance, that seems trivial. In reality, it is the opening move in a bigger game.

Whether the victim clicks “Allow” or “Deny,” the crooks stay in control. The user is steered through a CAPTCHA page, adding a false sense of security, before hitting a counterfeit Microsoft sign-in form. That form is powered by Tycoon and ODx phishing kits—off-the-shelf services that specialize in intercepting multi-factor authentication codes. In effect, the attackers place themselves between the user and Microsoft’s login portal, grabbing passwords and one-time passcodes in real time. With those details, they can stroll straight into the victim’s mailbox, Teams chats, and SharePoint libraries.

Proofpoint has already counted more than fifty fake apps tied to this campaign. During the first half of 2025 alone, almost 3,000 user accounts across roughly 900 Microsoft 365 tenants faced takeover attempts that match Tycoon’s fingerprints. The scale speaks to a broader shift: phishing crews no longer rely on single messages or static websites. Instead, they chain together trusted cloud features, commercial phishing kits, and social engineering to side-step the hard work of cracking passwords by force.

The consequences can be devastating. Once inside, attackers may quietly exfiltrate sensitive files, reroute invoices to their own bank accounts, or drop ransomware. Because the entry method abuses Microsoft’s own OAuth framework, conventional security tools may not raise an alarm. Logs might show a perfectly valid sign-in, using approved credentials and an approved application. By the time anyone spots odd behavior, data may already be gone.

Microsoft is not blind to the threat. The company plans to tighten default settings by August 2025, blocking older authentication methods and forcing administrators to approve any third-party app with broad access. That change should make life harder for scammers, but it will not erase the danger overnight. Many organizations still lean on legacy protocols, and convincing an overworked IT team to review every permission request is easier said than done.

Meanwhile, threat actors are moving fast. Proofpoint highlights fresh waves that impersonate Adobe through Twilio’s SendGrid, a mainstream email marketing service. Another string of attacks hides malicious remote-management software in PDFs that look like invoices or real-estate listings. Victims who install the tools unknowingly hand over a direct line into their machines. Even if no malware arrives right away, the attacker now has an opening to sell, lease, or exploit later.

Security firms predict that adversary-in-the-middle tactics will become the norm. By hijacking a login session at the exact moment a user authenticates, crooks sidestep even the strongest password rules and multi-factor prompts. As one analyst put it, “Identity is the new perimeter.” That means user awareness, strict app reviews, and continuous monitoring are now mission-critical—not optional extras.

Looking ahead, administrators should prepare for stricter consent workflows, disable unused legacy protocols, and audit every app already connected to their Microsoft 365 tenant. Employees, for their part, must be trained to treat unexpected consent screens with extreme suspicion. A single click on a familiar logo can still turn into a six-figure cleanup bill, damaged customer trust, and weeks of forensic headaches.

In short, Microsoft OAuth—once a quiet convenience feature—has become a prime target. Until new safeguards arrive and users grow savvier, the simplest email request can open the door to a full-blown breach. Stay alert, review those permissions, and remember: if an app you have never heard of suddenly needs account access, treat it as the red flag it is.