Phishing simulation Awareness training Data breach detection Pricing About Blog Resources Contact
Get started Log in

Hackers abuse OAuth 2.0 to hijack Microsoft 365

Threat actors abuse OAuth 2.0 to hijack Microsoft 365 accounts without passwords. Learn how the attack works and how to defend against it.

25-04-2025 - 4 minute read. Posted in: cybercrime.

Hackers abuse OAuth 2.0 to hijack Microsoft 365

OAuth 2.0 abuse: How threat actors hijack Microsoft 365 accounts

In the evolving landscape of cyber threats, attackers are constantly refining their tactics. One method gaining traction involves abusing OAuth 2.0 authentication workflows to compromise Microsoft 365 accounts. This approach bypasses traditional phishing defenses and exploits the trust users place in legitimate services.

OAuth 2.0 as a gateway

OAuth 2.0 is a widely adopted protocol used for delegated authorization. It allows users to grant third-party applications access to their data without sharing passwords. The protocol enables single sign-on (SSO), which lets users access multiple services using their Microsoft 365 credentials.

Although OAuth 2.0 improves user experience and is designed to enhance security, it also introduces new risks. Cybercriminals are now exploiting this trusted system to gain persistent access to user accounts without needing to steal a single password.

The attack chain

Malicious app registration: Threat actors create rogue applications on Microsoft’s cloud platform.

  • Phishing for consent: Attackers send deceptive emails or fake login prompts, tricking users into granting permissions. Instead of stealing login credentials, they request OAuth tokens.

  • Token abuse: Once access is granted, the malicious application receives a token that allows it to act on behalf of the user.

  • Stealth and persistence: Because no credentials are stolen and access is token-based, standard protections like multi-factor authentication and password resets may not stop the attacker. This allows long-term access for surveillance or data theft.

Real-world example: Ukraine and the misuse of trusted platforms

In April 2025, multiple cybersecurity firms reported a coordinated campaign linked to Russian state-sponsored hackers. The attackers targeted Microsoft 365 accounts belonging to Western governments, media outlets, NGOs, and especially organizations associated with Ukraine.

Instead of using traditional phishing, the attackers relied on OAuth 2.0 abuse. They tricked users into approving access to seemingly legitimate apps that were in fact malicious. A particularly deceptive tactic involved naming the rogue apps after trusted messaging platforms such as WhatsApp and Signal. This made the consent prompts appear familiar and trustworthy, increasing the likelihood of users unknowingly granting dangerous access.

Once access was approved, the attackers were able to silently read emails, extract calendar data, and monitor conversations. Victims included organizations with otherwise strong security practices, showing how dangerous these attacks can be when trust is exploited.

Why this threat is serious

The most concerning aspect of OAuth-based attacks is how stealthy they are. Because the user approves the access themselves, many security systems do not flag the activity as suspicious. Even advanced protections like MFA and phishing awareness training offer limited protection in these scenarios.

In this case, the attack not only exposed sensitive data but also had geopolitical implications, as several targets had ties to the conflict in Ukraine. This demonstrates how modern cyberattacks are often used to support broader espionage and political objectives.

If you want to learn more about why multi-factor authentication matters, read our helpful guide on why multi-factor authentication is important. And if you want to know how to strengthen your organization’s human firewall, Moxso offers awareness training.

How to defend against OAuth abuse

Organizations can take several steps to strengthen their defenses:

  • Review third-party app permissions: Conduct regular audits of all applications with access to your Microsoft 365 environment.

  • Implement admin consent policies: Prevent users from authorizing new applications without administrator approval.

  • Monitor OAuth activity: Use tools that detect abnormal app registrations or token behavior.

  • Educate employees: Provide training that helps users identify suspicious consent screens, even when the apps appear familiar.

Final thoughts

OAuth 2.0 plays a central role in modern authentication systems. However, like any technology, it can be misused. The 2025 campaign targeting Microsoft 365 users serves as a reminder that even trusted systems must be closely monitored.

Organizations must look beyond passwords and consider the entire access lifecycle, including how apps are granted permissions and how tokens are used. In today’s threat landscape, the absence of a password does not mean the absence of a breach.

Author Sarah Krarup

Sarah Krarup

Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.

View all posts by Sarah Krarup

Similar posts

The ultimate defense guide against spear phishing
phishing

The ultimate defense guide against spear phishing

Spear phishing is a more advanced and hazardous type of cybercrime. Learn how to protect yourself from it in this ultimate guide.

23-01-2024 · 5 min.
How to detect live chat phishing
phishing

How to detect live chat phishing

Learn more about how hackers exploit your trust and need for quick and personal customer service to steal your information.

24-10-2024 · 10 min.
What is the blockchain?
cybercrime

What is the blockchain?

Blockchain is one of the most talked about technology concepts in recent years. Learn the basics about what blockchain really is.

20-07-2022 · 10 min.