TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Censys

Oluomo: Microsoft OAuth AiTM Phishing Using a Naturalization-Form Lure

Kate Lake · 2026-04-22 · Read original ↗

ATT&CK techniques detected

21 predictions
T1566.002Spearphishing Link
97%
“##h1. jpeg https : / / i. imgur [. ] com / raputz4. jpeg kit artifacts service worker : / service _ worker _ mz8xo2ny1pg5. js url parameter : redirect _ uri ( capital i ) localstorage key : useridentity page title : secure document access | identity verification footer text : ent…”
T1566.002Spearphishing Link
94%
“create contextual alignment with recipients who would recognize and trust a naturalization document as something worth accessing through a secure portal. kit architecture the phishing flow is structured as a two - stage pipeline, with each stage hosted on separate infrastructure …”
T1566.002Spearphishing Link
93%
“oluomo : microsoft oauth aitm phishing using a naturalization - form lure executive summary since late november 2025, censys has tracked a long - running adversary - in - the - middle ( aitm ) phishing cluster ( dubbed oluomo ) that uses a variety of fake secure document portals …”
T1528Steal Application Access Token
91%
“microsoft ’ s real login. microsoftonline [. ] com oauth authorization flow, using the common tenant ( multi - tenant, meaning any microsoft account is a valid target ). the oauth flow is configured with an application display name of “ orgid migrated apps ” and a callback parame…”
T1566.002Spearphishing Link
91%
“- stage aitm proxies resolve to azure web app backends in australia. credential routing passes through a lookalike domain, orgid [. ] com, designed to impersonate portal. microsoftonline [. ] com. without email telemetry, the likely initial delivery vector, we cannot definitively…”
T1525Implant Internal Image
88%
“. ] au view. alvincurren [. ] com azure web app hostnames aunz261. azurewebsites [. ] net usanov98904. azurewebsites [ ] net nznov28. azurewebsites [. ] net credential routing orgid [. ] com portal. microsoftonline. com. orgid [. ] com ips ( infrastructure ) 13. 77. 50 [. ] 113 7…”
T1566.002Spearphishing Link
78%
“the interaction registers as adversarial. the cluster examined in this report extends that principle in a direction that is worth examining closely. rather than impersonating a single service, the operator has constructed a trust chain that leverages legitimate infrastructure at …”
T1566.002Spearphishing Link
69%
“process, or a broader audience for whom a government document creates urgency, the lure narrows the interpretive space. the operator wanted their targets to see an official u. s. immigration document and feel that accessing it through a “ secure portal ” was reasonable. without t…”
T1528Steal Application Access Token
67%
“deployment contains a hardcoded redirect _ url pointing to a specific second - stage domain. observed mappings include : stage 2 : the aitm proxy ( azure web apps ) the second - stage infrastructure is where the actual credential theft occurs. these domains resolve via cname to a…”
T1557.001Name Resolution Poisoning and SMB Relay
59%
“the interaction registers as adversarial. the cluster examined in this report extends that principle in a direction that is worth examining closely. rather than impersonating a single service, the operator has constructed a trust chain that leverages legitimate infrastructure at …”
T1528Steal Application Access Token
56%
“oluomo : microsoft oauth aitm phishing using a naturalization - form lure executive summary since late november 2025, censys has tracked a long - running adversary - in - the - middle ( aitm ) phishing cluster ( dubbed oluomo ) that uses a variety of fake secure document portals …”
T1566.002Spearphishing Link
54%
“otherwise genuine microsoft markup : an injected < script src = / @ > < / script > tag in the < head > element. the / @ path is a same - origin relative url. because the browser remains on the second - stage origin while the azure app proxies microsoft content, the service worker…”
T1566.002Spearphishing Link
52%
“signatures visible. it reads as a preview of an authentic government record. provenance the image has a single known source on the public internet : a 2015 genealogy blog post published on a blogspot site. the blogger posted the scanned petition as part of a family history resear…”
T1557.001Name Resolution Poisoning and SMB Relay
50%
“##gbidybo ). the server receives these requests, forwards them to microsoft, and returns the proxied response. credentials and session tokens that pass through this channel are logged server - side before the victim is redirected to a decoy pdf ( https : / / hfs [. ] jhu / pdfs /…”
T1528Steal Application Access Token
49%
“the interaction registers as adversarial. the cluster examined in this report extends that principle in a direction that is worth examining closely. rather than impersonating a single service, the operator has constructed a trust chain that leverages legitimate infrastructure at …”
T1111Multi-Factor Authentication Interception
44%
“the interaction registers as adversarial. the cluster examined in this report extends that principle in a direction that is worth examining closely. rather than impersonating a single service, the operator has constructed a trust chain that leverages legitimate infrastructure at …”
T1584.001Domains
36%
“set to 999 unique web properties, though many of these represent noisy overlaps with unrelated sites sharing common frontend patterns. from the expanded set, a validated subset of 88 true - positive web properties across 11 parent domains was confirmed through perceptual hash clu…”
T1557.001Name Resolution Poisoning and SMB Relay
35%
“otherwise genuine microsoft markup : an injected < script src = / @ > < / script > tag in the < head > element. the / @ path is a same - origin relative url. because the browser remains on the second - stage origin while the azure app proxies microsoft content, the service worker…”
T1557Adversary-in-the-Middle
33%
“otherwise genuine microsoft markup : an injected < script src = / @ > < / script > tag in the < head > element. the / @ path is a same - origin relative url. because the browser remains on the second - stage origin while the azure app proxies microsoft content, the service worker…”
T1598.002Spearphishing Attachment
32%
“lure filenames. this report documents the kit ’ s construction, its infrastructure, and its lure, and examines what that lure tells us about the operator ’ s intent. the lure : a stolen document and a familiar interface the first - stage page presents itself as a document access …”
T1111Multi-Factor Authentication Interception
30%
“oluomo : microsoft oauth aitm phishing using a naturalization - form lure executive summary since late november 2025, censys has tracked a long - running adversary - in - the - middle ( aitm ) phishing cluster ( dubbed oluomo ) that uses a variety of fake secure document portals …”

Summary

Executive Summary Introduction Credential phishing has long relied on the principle that familiarity lowers suspicion. A page that looks like a login form, delivered at the right moment with the right pretext, can convert a target into a victim before the interaction registers as adversarial. The cluster examined in this report extends that principle in […]

The post Oluomo: Microsoft OAuth AiTM Phishing Using a Naturalization-Form Lure appeared first on Censys.