An APT known as TA2552 has been spotted using OAuth2 or other token-based authorization methods to access Office 365 accounts in order to steal users contacts and mail. Attackers use well-crafted lures asking users to click a link which carries them to the legitimate Microsoft third-party apps consent page. The domains that catch the OAuth tokens are often registered via Namecheap and hosted on Cloudflare. If consent is granted, the user is asked to grant read-only access to a (malicious) application masquerading as a real organization s app.
Source: https://threatpost.com/oauth-phishing-microsoft-o365-attacks/159713/