Microsoft 365 accounts targeted by malicious OAuth apps disguised as Adobe and DocuSign apps

Cybercriminals are deploying malicious Microsoft OAuth applications disguised as Adobe and DocuSign apps to compromise Microsoft 365 account credentials.

These highly targeted campaigns involve fraudulent apps such as "Adobe Drive," "Adobe Acrobat" and "DocuSign," which request minimal permissions like 'profile,' 'email' and 'openid' to avoid detection. Once granted, attackers gain access to user information, facilitating further targeted attacks.

The phishing emails, sent from compromised accounts of small organizations, have targeted various U.S. and European industries, including government, health care, supply chain and retail sectors. After authorization, users are redirected to malicious landing pages that either harvest Microsoft 365 credentials or distribute malware.