“The phishing campaigns leverage multi-factor authentication (MFA) attacker-in-the-middle (AiTM) phishing kits like Tycoon,” researchers added. “Such exercise may very well be used for data gathering, lateral motion, follow-on malware installations, or to conduct extra phishing campaigns from compromised accounts.”
This technique is especially harmful as a result of OAuth tokens can survive password resets. Even when a compromised person modifications their password, attackers can nonetheless use the granted permissions to entry e mail, recordsdata, and different cloud companies till the OAuth token is revoked.
Proofpoint mentioned the marketing campaign abused over 50 trusted manufacturers, together with corporations like RingCentral, SharePoint, Adobe, and DocuSign.
