Don’t trust that app!

CyberWire Daily

N2K Networks, Inc.

Tech News, News, Daily News, Technology

4.6 • 1K Ratings

🗓️ 3 January 2026

⏱️ 20 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

While our team is out on winter break, please enjoy this episode of Research Saturday. Today we are joined by ⁠⁠Selena Larson⁠⁠, co-host of ⁠⁠Only Malware in the Building⁠⁠ and Staff Threat Researcher and Lead Intelligence Analysis and Strategy at ⁠⁠Proofpoint⁠⁠, sharing their work on "Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing." Proofpoint researchers have identified campaigns where threat actors use fake Microsoft OAuth apps to impersonate services like Adobe, DocuSign, and SharePoint, stealing credentials and bypassing MFA via attacker-in-the-middle phishing kits, mainly Tycoon. These attacks redirect users to fake Microsoft login pages to capture credentials, 2FA tokens, and session cookies, targeting nearly 3,000 Microsoft 365 accounts across 900 environments in 2025. Microsoft’s upcoming security changes and strengthened email, cloud, and web defenses, along with user education, are recommended to reduce these risks. The research can be found here: ⁠⁠⁠⁠Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript

Click on a timestamp to play from that location

0:00.0	You're listening to the Cyberwire Network, powered by N2K.
0:08.8	Olivia Koppel here to tell you all about the launch of the new Abercrombie Spring Denom Collection, made the way denim should feel.
0:16.8	Their denim has always been a staple in my wardrobe and has a wide range of fits, styles, and washes.
0:22.2	Every jean is available in both their classic fit and viral curve love.
0:26.6	Shop in the app, online, and in stores.
0:47.6	Music Hello, everyone and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
0:52.7	tracking down the threats and vulnerabilities,
0:55.5	solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace.
1:01.3	Thanks for joining us.
1:07.8	In this particular campaign, it was pretty interesting because the threat actors will impersonate various fake Microsoft Oath applications and ultimately lead to credential theft.
1:19.9	That's Selena Larson, staff threat researcher and lead for intelligence analysis and strategy at Proof Point.
1:26.5	The research we're discussing today is titled Microsoft OOath app impersonation campaign leads to MFA fishing.
1:38.3	So sometimes we see Microsoft OOath app impersonation trying to gain access via the malicious app, various permissions and stuff.
1:50.9	But in this case, it was used more as a vehicle to enable the credential fishing, which was pretty interesting.
1:55.8	Well, let's back up just a step.
1:58.0	Can you describe for us what exactly we're talking about when we say MFA fishing?
2:02.8	Of course. So MFA fishing is multi-factor authentication fishing. So typically, historically,
2:09.0	people will have a username and password to log into things. And adding a layer of multifactor
2:13.3	authentication could be anything from an SMS to a token that you have to a Yubiki or something
2:20.3	like a physical token that you log in or even your fingerprint or your face ID, things like that.
2:26.3	So adding a multi-factor authentication to every login adds a layer of protection to organizations
2:32.2	and to keep your information secure. You should enable MFA everywhere
	...

Transcript will be available on the free plan in 13 days. Upgrade to see the full transcript now.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from N2K Networks, Inc., and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of N2K Networks, Inc. and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.