A sophisticated phishing campaign is targeting Microsoft 365 users in North America, exploiting OAuth tokens to secure prolonged access to corporate systems. This threat specifically targets business users, focusing on services like Outlook, Teams, and OneDrive without the need to steal passwords directly.
Innovative Phishing Techniques
Unlike traditional methods that use fake login forms, this campaign manipulates victims into completing genuine sign-ins on Microsoft’s device login portal. This approach makes detection challenging for both users and standard security measures.
Successfully compromised accounts allow attackers to manage emails and files discreetly, posing significant risks to sensitive information and communications within organizations.
Campaign Discovery and Tactics
Researchers from KnowBe4 Threat Labs uncovered this campaign in late 2025. The attackers cleverly merge realistic phishing emails with the OAuth 2.0 Device Authorization Grant flow. This technique allows them to bypass robust security measures like strong passwords and Multi-Factor Authentication.
Social engineering plays a pivotal role, with phishing emails crafted around themes such as payment confirmations and voicemail notifications, enticing professionals to react swiftly.
Understanding the Attack Mechanics
The attack initiates when a victim enters a device code, supplied by the attacker, on the official Microsoft login page. This action grants the attackers valid OAuth access and refresh tokens linked to the victim’s account, enabling persistent unauthorized access.
This stealthy method avoids detection by standard monitoring systems, as the actions appear legitimate under the victim’s user context, leading to unauthorized data access and potential data breaches.
Mitigation Strategies
Organizations are urged to block known malicious domains and scrutinize email logs for suspicious patterns. It’s crucial to audit recently consented OAuth applications for unusual entries and consider disabling the device code flow or restricting it through Conditional Access policies.
Security teams should also monitor Azure AD sign-in logs for irregular device code activities and geographic inconsistencies. Increasing user awareness about phishing tactics can further help in mitigating these risks.
Stay informed with the latest security updates by following us on Google News, LinkedIn, and X. Set CSN as your preferred source on Google for quick access to cybersecurity news.
