{ "id": "78415e86-24f7-44cd-9b1d-87e788cf312f", "created_at": "2026-04-06T00:08:53.978207Z", "updated_at": "2026-04-10T03:23:52.687396Z", "deleted_at": null, "sha1_hash": "fe2dcfd74c8c6df14af21f4f5c224084b0fc101e", "title": "TA2552's O365 Third-Party Access Abuse | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 751699, "plain_text": "TA2552's O365 Third-Party Access Abuse | Proofpoint US\r\nBy September 29, 2020 The Proofpoint Threat Research Team\r\nPublished: 2020-09-29 · Archived: 2026-04-05 12:37:03 UTC\r\nSince January 2020, Proofpoint researchers have tracked an actor abusing Microsoft Office 365 (O365) third-party application (3PA) access, with suspected activity dating back to August 2019. The actor, known\r\nas TA2552, uses well-crafted Spanish language lures that leverage a narrow range of themes and brands. The\r\nlures entice users to click a link in the message, taking them to the legitimate Microsoft third-party apps consent\r\npage. There they are prompted to grant a third-party application read-only user permissions to their O365\r\naccount via OAuth2 or other token-based authorization methods. TA2552 seeks access to specific account\r\nresources like the user’s contacts and mail. Requesting read-only permissions for such account resources could be\r\nused to conduct account reconnaissance, silently steal data, or to intercept password reset messages from other\r\naccounts such as those at financial institutions. While organizations with global presence have received messages\r\nfrom this group, they appear to choose recipients who are likely Spanish speakers. \r\nAttack Technique Overview \r\nThe campaigns from TA2552 follow a similar attack flow. Upon clicking the link in the message, the recipient is\r\nredirected to the authentic Microsoft third-party application consent page at login.microsoftonline.com and asked\r\nto grant or deny the requested permissions. If the browser is not already authenticated to O365, the user is\r\nprompted to authenticate. If consent is granted, the third-party application will be allowed to access the currently\r\nauthenticated O365 account. The list of permissions we have observed in these campaigns allows read-only access\r\nto items such as the user's contacts, profile, and mail. Even if consent is denied, the browser is still redirected to an\r\nattacker-controlled page, giving the actor the opportunity to present more attack techniques to the visitor.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks\r\nPage 1 of 11\n\nFigure 1: Overview of attack flow \r\nThe consent URL used during the OAuth authorization flow has a predictable structure. Values of interest are\r\nindicated in Figure 2.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks\r\nPage 2 of 11\n\nFigure 2: Relevant components of a consent URL \r\nThrough some campaigns, we have observed the same phish URLs leading to consent URLs with different values\r\nfor client_id, redirect_uri, and scope options. Some campaigns have used multiple phish URLs. Samples listed\r\nbelow should not be considered representative of the complete list of 3PA IDs and URLs used by this actor over\r\ntime. \r\nMessage Overview \r\nIn addition to the lures, there are several important components to the attacks described below. Below each\r\nmessage sample, we’ve included several relevant attributes: \r\nOAuth Access Token Phish Lure Theme: Branding or entity being impersonated. \r\nOAuth Access Token Phish URL Sample: Sample of the URL linked in the message body. \r\nClientID Sample: Sample of the observed client_id value from consent URLs. \r\nConsent redirect URL Sample: A sample of the redirect_uri value from observed consent URLs where\r\nthe user’s browser is sent post-consent, regardless of the user’s choice to consent or not. The request may\r\ncontain an authorization code if the user chooses to consent, or an error code if the consent request was\r\ndenied.  \r\nScope values observed in consent URL: A sample of the scope value from the consent URL. It describes\r\nthe permissions requested by the third-party application  \r\nImpersonation of the Servicio de Administración Tributaria (SAT), Mexico’s tax authority, is a common message\r\ntheme for this actor. When SAT is used in the phish lure, the email suggests that the recipient needs to update their\r\ncontact information and is presented with what appears to be a link to do so (Figures 3, 4). Some subjects, like\r\n“Аcսse dе Сіta - Aсlaracіоոes 2020. (Acknowledgment of Appointment – Clarifications 2020.),” make use of\r\nnon-ASCII characters, possibly to evade simple spam filters (Figure 3). \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks\r\nPage 3 of 11\n\nFigure 3: Mexican tax authority lure \r\nOAuth Access Token Phish Lure Theme: update your information with SAT of Mexico \r\nOAuth Access Token Phish URL Sample: hxxp://akglass[.]in/menu/redirect.php \r\nClientID Sample: 13f33779-fe8e-4f64-8252-79e8ec962fb4 \r\nConsent redirect URL Sample: hxxps://www-registros-apps-mx.e18220[.]com/1/autoriza.php \r\nScope values observed in consent\r\nURL: User.Read, User.ReadBasic.All, Contacts.Read, Contacts.Read.Shared, People.Read\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks\r\nPage 4 of 11\n\nFigure 4: Mexican tax authority lure with accurate branding \r\nOAuth Access Token Phish Lure Theme: update your information with SAT of Mexico \r\nOAuth Access Token Phish URL Sample: hxxps://app452-sat-mx.i3720[.]xyz/leap/983.php \r\nClientID Sample: 4f641680-a8cd-4f96-8181-08efaf2563b1 \r\nConsent redirect URL Sample: hxxps://www-registros-appsmx-sat.x030720[.]xyz/regs/autoriza.php \r\nScope values observed in consent\r\nURL: User.Read, Contacts.Read, Contacts.Read.Shared, People.Read, Mail.Read \r\nMexican tax- and government-themed messages are regularly observed with this actor, though they have\r\noccasionally deviated from this messaging and impersonated popular consumer brands. In July, we observed this\r\nactor’s lures impersonating Netflix Mexico (Figure 5) and Amazon Prime Mexico (Figures 6, 7). \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks\r\nPage 5 of 11\n\nFigure 5: Netflix Mexico lure offering 6 free months of service \r\nOAuth Access Token Phish Lure Theme: Netflix Mexico free trial \r\nOAuth Access Token Phish URL Sample: hxxps://485online.rs10720[.]xyz/xPsY \r\nClientID Sample: d76c652c-7ba7-4205-8666-059985a0ec54 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks\r\nPage 6 of 11\n\nConsent redirect URL Sample: hxxps://www-netfflix-registros.i10720[.]xyz/regs/autoriza.php \r\nDomain reused in Amazon Prime free trial phish below \r\nScope values observed in consent\r\nURL: User.Read, Contacts.Read, Contacts.Read.Shared, People.Read, Mail.Read\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks\r\nPage 7 of 11\n\nFigure 6: Amazon Prime Mexico lure offering 6 months of free service\r\nFigure 7: 3PA consent request, featuring H\u0026M branding incongruent with the Amazon Prime lure \r\nPhish Lure Theme: Amazon Prime Mexico free trial \r\nOAuth Access Token Phishing URL Sample: hxxps://printstockphoto[.]com/img/01/redirect.html \r\nClientID Sample: f6b5e94d-f5d8-4f4e-9a68-4c06aa2e4cba \r\nConsent redirect URL Sample: hxxps://apps-registros-mx.is15720[.]xyz/1/auth.php \r\nNotable brand mismatch between the email lure (Amazon Prime) and the consent page (H\u0026M) \r\n \r\nThird-Party Applications and Permission Risks \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks\r\nPage 8 of 11\n\nIt’s important to understand the scope and risk of permissions requested by the third-party apps linked in these\r\nmessages. The official consent page presents a list of permissions requested by the third-party application (Figure\r\n8 is an example). \r\nFigure 8: Itemized permission list for a third-party application \r\nAll permissions we’ve observed requested thus far have been read-only. While that might seem relatively benign,\r\neven allowing an actor read access to a user’s inbox and contacts can have significant regulatory and\r\nprivacy consequences. The minimal permissions requested by these apps also likely help them appear\r\ninconspicuous if an organization’s O365 administrator audits connected apps for their users’ accounts. The\r\napps don’t request many permissions, and those they do might not appear particularly far-reaching, allowing them\r\nto blend in with other benign apps. \r\nFigure 9: Commonly observed requested permissions  \r\nContacts.Read and People.Read could be used for email address harvesting. Obtaining email addresses in\r\nthis way can help ensure addresses are valid and active. \r\nUser.Read can help an actor determine potential value of an account, or the value of compromising the\r\nuser’s other accounts. \r\nMail.Read allows an actor to read a user’s mail, potentially offering a more subtle manner of collecting\r\ncredentials. If an actor completes the ‘forgot password’ flow on a site connected to the email address and a\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks\r\nPage 9 of 11\n\npassword reset link is sent via email, they could effectively steal the account. This also assumes that the\r\nuser’s account does not have multifactor authentication measures independent of the readable account’s\r\ninbox enabled. \r\nInfrastructure and Hosting \r\nThe phish URL in the lure is usually a compromised site that takes the recipient to the official O365 login page if\r\nthey’re not authenticated. Once signed into their O365 account, the user is redirected to the official O365 consent\r\nprocess that prompts them to grant permissions to the actor’s application. The domains that catch the OAuth\r\ntokens are often registered via Namecheap and hosted on Cloudflare. \r\nConclusion \r\nThreat actors often find creative ways to harvest information. In these attacks, TA2552 doesn't rely on techniques\r\nlike more traditional credential phishing or dropping malware on a system. Instead, they gain permissions to view\r\nthe content and activity of resources available through a user’s O365 account. The departure from such traditional\r\ntechniques gives this actor an advantage, as users likely aren’t trained to spot or inspect suspicious\r\napplications. Even read-only access comes with considerable risk. The ability to perform reconnaissance on\r\nan O365 account supplies an actor with valuable information that can later be weaponized in business email\r\ncompromise (BEC) attacks or account takeovers.  \r\nIOCs  \r\nPhish URL Domains: \r\nThe actor has used a blend of what appear to be compromised sites and custom domains.  \r\ncasperinfosystem[.]com \r\nultimatetravel[.]in \r\nnivedafoundation[.]org \r\ncalyss[.]in \r\nmucla[.]in \r\nakglass[.]in \r\ni3720[.]xyz \r\nrs10720[.]xyz \r\nphotobalkan[.]com \r\nprintstockphoto[.]com \r\nccgdm[.]org \r\nal-thawiya[.]com \r\ndev.tvs[.]st \r\nClientIDs: \r\n13f33779-fe8e-4f64-8252-79e8ec962fb4 \r\n4f641680-a8cd-4f96-8181-08efaf2563b1 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks\r\nPage 10 of 11\n\nd76c652c-7ba7-4205-8666-059985a0ec54 \r\n2c8cd500-52d3-4b88-8d0b-1f8ad8a3b714 \r\n1ed6cd93-7682-4584-9e1e-f9251f056cbd \r\n2385bb0e-b757-4b1c-830b-c5076d1c8ca2 \r\n41b33fb0-7a42-4f9a-a649-62fa456e85ea \r\n6337785c-1c50-4b4f-befa-9b70b9fd78ad \r\n81f521a0-8db3-42cc-a3ff-9756474c7d14 \r\na04f33b3-efee-4d74-93ce-59b157381c0b \r\na972fde8-6e7a-41bb-9c63-d3cc6c0603fe \r\nab6df806-cd0e-462d-af11-3c51bccc6ba3 \r\nb8d51b1a-f464-4ab4-ac0d-9d8dc190cb9e \r\nf6b5e94d-f5d8-4f4e-9a68-4c06aa2e4cba \r\nRedirect URL Domains: \r\nx030720[.]xyz \r\ne10220[.]com \r\nxs1920[.]xyz \r\ni10720[.]xyz \r\ne1920[.]xyz \r\nis15720[.]xyz \r\ne29120[.]com \r\nrr020920[.]xyz \r\ne180320[.]xyz \r\ne18220[.]com \r\ni5320[.]xyz \r\nr25820[.]xyz \r\nex171019[.]com \r\n16720s[.]xyz \r\ne18220[.]com \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MISPGALAXY" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks" ], "report_names": [ "ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks" ], "threat_actors": [ { "id": "6b88f18e-81b7-46b6-a20d-79e03220447d", "created_at": "2024-02-06T02:00:04.101887Z", "updated_at": "2026-04-10T02:00:03.569979Z", "deleted_at": null, "main_name": "TA2552", "aliases": [], "source_name": "MISPGALAXY:TA2552", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75febd40-3628-491d-be18-366270cb33b1", "created_at": "2022-10-25T16:07:24.267099Z", "updated_at": "2026-04-10T02:00:04.916264Z", "deleted_at": null, "main_name": "TA2552", "aliases": [], "source_name": "ETDA:TA2552", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434133, "ts_updated_at": 1775791432, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fe2dcfd74c8c6df14af21f4f5c224084b0fc101e.pdf", "text": "https://archive.orkl.eu/fe2dcfd74c8c6df14af21f4f5c224084b0fc101e.txt", "img": "https://archive.orkl.eu/fe2dcfd74c8c6df14af21f4f5c224084b0fc101e.jpg" } }