Summary: A new phishing campaign targets Microsoft 365 users by using custom applications to request sensitive information, tricking users with a legitimate-looking password reset email. Once users authenticate through a fake application, they unwittingly provide their credentials to threat actors. This method highlights the need for vigilance against deceptive phishing tactics that misuse legitimate services.
Affected: Microsoft 365 users
Keypoints :
- Phishing campaign induces users with a fake Microsoft password reset request email.
- User is directed to a legitimate Microsoft login page before being tricked into granting access to a custom application.
- Threat actors exploit the trust associated with familiar brands like Microsoft and Adobe to extract user credentials.
Source: https://cofense.com/blog/oauth-phishing-alert-fake-adobe-drive-x-app-abusing-microsoft-login