Multiple threat actors are compromising Microsoft 365 accounts in phishing attacks that leverage the OAuth device code authorization mechanism.
Attackers trick victims into entering a device code on Microsoft’s legitimate device login page, unknowingly authorizing an attacker-controlled application and granting them access to the target account without stealing credentials or bypassing multi-factor authentication (MFA).
Although the method isn’t new, email security firm Proofpoint says that these attacks have increased significantly in volume since September, and involve both financially motivated cybercriminals like TA2723 and state-aligned threat actors.
"Proofpoint Threat Research has observed multiple threat clusters using device code phishing to trick users into granting a threat actor access to their Microsoft 365 account," the security company warned, adding that widespread campaigns using these attack flows are "highly unusual."
Tools and campaigns
The attack chains that Proofpoint observed in the campaigns have slight variations, but they all involve tricking victims into entering a device code on Microsoft’s legitimate device login portals.
In some cases, the device code is presented as a one-time password, while the lure can be a token re-authorization notification in others.
The researchers observed two phishing kits used in the attacks, namely SquarePhish v1 and v2, and Graphish, which simplify the phishing process.
SquarePhish is a publicly available red teaming tool that targets OAuth device grant authorization flows via QR codes, mimicking legitimate Microsoft MFA/TOTP setups.
Graphish is a malicious phishing kit shared on underground forums, supporting OAuth abuse, Azure App Registrations, and adversary-in-the-middle (AiTM) attacks.
... continue reading