“The phishing campaigns leverage multi-factor authentication (MFA) attacker-in-the-middle (AiTM) phishing kits like Tycoon,” researchers added. “Such exercise may very well be used for info gathering, lateral motion, follow-on malware installations, or to conduct extra phishing campaigns from compromised accounts.”
This technique is especially harmful as a result of OAuth tokens can survive password resets. Even when a compromised consumer modifications their password, attackers can nonetheless use the granted permissions to entry electronic mail, information, and different cloud providers till the OAuth token is revoked.
Proofpoint stated the marketing campaign abused over 50 trusted manufacturers, together with corporations like RingCentral, SharePoint, Adobe, and DocuSign.
