From bleepingcomputer.com
A phishing campaign has been discovered that doesn’t target a recipient’s username and password, but rather uses the novel approach of gaining access to a recipient’s Office 365 account and its data through the Microsoft OAuth API.