Technology

Microsoft 365 accounts are under attack from new malware spoofing popular work apps

March 17, 2025

Criminals are using stolen email addresses to distribute malicious OAuth Apps
These apps steal sensitive data and redirect people to phishing pages
The pages steal login credentials and deliver malware

Hackers are spoofing popular cloud and productivity apps to steal people’s Microsoft 365 login credentials and deliver malware, experts have warned.

Cybersecurity researchers Proofpoint detailed their findings in an X thread, revealing unidentified cybercriminals used compromised Office 365 accounts and email addresses belonging to charity organizations or small businesses to launch the attacks.

It is unclear what the contents of the emails are, but apparently, the goal is to get victims to install malicious Microsoft OAuth apps pretending to be Adobe Drive, Adobe Drive X, Adobe Acrobat, and DocuSign.

“Highly targeted” attacks

Those that install these apps are asked to grant specific permissions: ‘profile’, ‘email’, and ‘openid’. Alone, these aren’t that destructive, since they only grant access to the user’s name, user ID, profile picture, username, and the primary email address (no access, just information about the account). The ‘openid’ permission also allows the attackers to confirm the victim’s identity and retrieve their Microsoft account details.

While these aren’t enough to steal data or install malware, they can be used in more personalized phishing attacks, the researchers said. The campaign itself was “highly targeted”, Proofpoint said, going after organizations in different industries across the US and Europe, including government, healthcare, supply chain, and retail.

After granting these permissions, the apps redirect the victims to phishing landing pages, collecting login credentials, and distributing malware. Proofpoint could not confirm the strain of the malware being distributed this way, but stressed that the attackers used the ClickFix social engineering attack.

Nowadays, ClickFix has grown quite popular. It starts with a browser popup, informing the victim that they cannot view the contents of the web page unless they update their browser (or something similar). The popup shares steps on how to “fix” the issue, tricking the victims into downloading malware instead.

Via BleepingComputer

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar