Microsoft OAuth URL used as redirect to AITM credential phishing site

Sublime's Attack Spotlight series highlights the evolving email threat landscape by showcasing real-world attack samples, describing adversary tactics, and explaining detection methods, with an emphasis on credential phishing attacks using Microsoft 365. These attacks cleverly use legitimate Microsoft OAuth URLs to disguise malicious activities, such as redirecting users to a fake Microsoft login page after a false password reset message. This technique, part of a suspected international campaign, takes advantage of users' trust in familiar brands, like Adobe, by requesting minimal app permissions that appear harmless but lead to credential theft. Sublime's AI-powered detection engine identifies these threats through signals like suspicious Office 365 app authorization links and messages from previously unknown senders. The platform offers a free account for detecting and preventing such email-based threats, providing customizable solutions for different environments.