Oluomo: Microsoft OAuth AiTM Phishing Using a Naturalization-Form Lure

Since November 2025 Censys tracked an AiTM phishing cluster called OLUOMO that uses compromised business websites as first-stage lures (displaying a U.S. naturalization petition image) and Azure Web Apps as second-stage proxies. A registered service worker on the proxy origin intercepts and serializes Microsoft OAuth traffic, exfiltrating credentials and tokens to attacker-controlled endpoints (credential routing via portal.microsoftonline.com.orgid.com). The report details kit artifacts, domain/IP indicators, timelines, and assessments of targeting and operational tradecraft.