A phishing campaign has been discovered that doesn't target a recipient's username and password, but rather uses the novel approach of gaining access to a recipient's Office 365 account and its data through the Microsoft OAuth API.
Almost all Microsoft Office 365 phishing attacks that we see are designed to steal a user's login name and password by impersonating a Microsoft login landing page.
In a phishing campaign discovered by threat intelligence and mitigation firm PhishLabs, attackers are no longer targeting a user's login credentials, but are now using Microsoft Office 365 OAuth apps to hijack a recipient's account.
... ...