MICROSOFT has warned users of a new phishing scam that uses a fake app to steal their information.

 Threat actors have been targeting Microsoft 365 users with a fraudulent app that steals their OAuth authentication token.

Targeting a user's OAuth – a standard that gives websites access to a user's login information – can get hackers full access to a victim's email, calendar, and contacts.

Microsoft learned of the phishing scam from a Twitter user by the handle of @ffforward.

"Massive active image-based #phishing campaign missed by Defender for @Office365 for several days," the tweet revealed, prompting Microsoft to do its own investigation.

Use the authenticate sites like aka.ms/authapp

The tech giant discovered that the hacker group has been targeting Microsoft 365 users with an app called Upgrade.

They also uncovered the app was using the publisher name 'Counseling Services Yuma PC.'

The threat actors have been sending emails to potential victims with an OAuth request that sends an OAuth token back to the actors once the users have signed into a service.

This then gives the hackers access to the service without a password for an extended period of time.

The fake app plays a pivotal role in that it generates an OAuth consent prompt when a victim clicks on the OAuth URL in the email – so if the victim agrees to give the app access, the attackers get the authorization token and can then access the user's data

The OAuth token also allows hackers to stay in a victim's account until the token expires or is removed.

Jake Moore, the former Head of Digital Forensics at Dorset Police who is now the Global Cybersecurity Advisor at ESET, called the phishing scam "very clever" as it can skirt multi-factor authentication.

"It highlights the powerful manipulation used in targeted phishing emails and that standard protection in this form of authentication is still not foolproof," he said.

"Attackers will go to great lengths to attempt entry and a percentage of people will easily be influenced into handing this code over in real-time giving full access over to their accounts," he added.

In order to better protect yourself from attacks like this, Moore advises that people remain vigilant to requests for their unique authentication codes.

He also strongly suggests a physical security key, which adds a "far stronger level of protection.”