The cybersecurity company Proofpoint has detected a strong increase in Microsoft 365 account takeoversdriven by attackers abusing OAuth authorizations, a legitimate Microsoft login process.
These campaigns begin with an initial message that includes a URL embedded in a button, hyperlinked text, or within a QR code. When the user accesses the URL, an attack sequence is initiated that leverages Microsoft’s legitimate device authorization process. The user receives a device code, which can be displayed directly on the landing page or received in a second email sent by the attacker. The honeypots indicate that the code is a one-time password (OTP) and direct the user to enter it at the Microsoft verification URL. When this is done, the original token is validated, granting the attacker access to the target M365 account.
Phishing using device codes opens the door to potential data theft, lateral movement within the network, and persistent compromises. Proofpoint had previously detected targeted malicious activity and limited red teaming actions, that is, controlled practices to test security of this type. Although it is not a completely new technique, it has been striking for experts to see its use by multiple groups such as TA2723, the Russian pro-state group UNK_AcademicFlare and others.
According to Proofpoint researchers, there are tools that facilitate the spread of these attacks, such as the SquarePhish2 and Graphish kits, as well as malicious applications for sale on hacking forums that automate and expand phishing with device codes, reducing technical barriers for attackers.
The most effective mitigation measure is to completely block the flow of device codes. Where this is not feasible, a whitelist-based approach may be adopted, limited to specific and justified use cases, requiring logins to be made from compliant or pre-registered devices. All of this must be complemented by strengthening user awareness and training against this type of non-traditional phishing attacks.
«This trend marks an important evolution in phishing, which shifts attacks from password theft to abuse of trusted authentication flowswhile making users believe that they are protecting their accounts”analyze the Proofpoint researchers. «We recommend that organizations reinforce controls over OAuth, as well as user awareness and training against these emerging risks. This aspect is especially relevant in a context in which phishing-resistant multi-factor authentication mechanisms, such as those based on the FIDO standard, are increasingly being adopted, since the abuse of OAuth authentication flows is expected to continue to increase as these technologies become more widespread..
