Hackers Exploit OAuth Device Codes to Breach Microsoft 365 Accounts
Cybercriminals are increasingly targeting Microsoft 365 (M365) accounts through a sophisticated method known as OAuth device code phishing. This technique exploits the OAuth 2.0 device authorization flow—a legitimate feature designed to facilitate authentication on devices with limited input capabilities. By manipulating this process, attackers can gain unauthorized access to M365 accounts, leading to potential data breaches and further network infiltration.
Understanding OAuth Device Code Phishing
OAuth 2.0’s device authorization flow is intended to simplify user authentication on devices like smart TVs or printers, which lack traditional input methods. In this flow, the device presents a code to the user, who then enters it on a separate device to grant access. Attackers have co-opted this process by sending phishing messages that prompt users to enter codes on legitimate Microsoft login pages, thereby granting the attackers access to their accounts.
The Attack Process
1. Phishing Initiation: Victims receive emails that appear to be from trusted sources, often containing URLs embedded in buttons, hyperlinks, or QR codes.
2. Redirection to Malicious Pages: Clicking these links directs users to counterfeit websites that display device codes, masquerading as one-time passwords or security tokens.
3. Exploitation of Legitimate Portals: Users are instructed to visit Microsoft’s genuine device login page (microsoft.com/devicelogin) and input the provided code.
4. Unauthorized Access Granted: Upon code entry, the attacker’s application receives an access token, allowing full control over the victim’s M365 account.
Tools Facilitating the Attacks
Researchers have identified two primary tools enabling these campaigns:
– SquarePhish2: An evolution of a previous phishing framework, SquarePhish2 automates the OAuth device authorization process using QR codes and attacker-controlled servers. It sends victims a fake authentication email followed by a second message containing the device code, simplifying large-scale operations for attackers.
– Graphish Phishing Kit: This tool creates fake login pages through Azure App Registrations and reverse proxy servers, facilitating adversary-in-the-middle attacks that capture both login credentials and session tokens, even when multi-factor authentication is in place.
Notable Threat Actors
The adoption of OAuth device code phishing spans various threat groups:
– TA2723: A financially motivated group known for high-volume credential phishing, TA2723 began utilizing OAuth device code attacks in October 2025, distributing emails with links leading to device code authorization pages.
– UNK_AcademicFlare: A suspected Russia-aligned group conducting sophisticated social engineering campaigns, leveraging this technique to compromise accounts.
Mitigation Strategies
To defend against OAuth device code phishing attacks, organizations and individuals should consider the following measures:
– User Education: Train users to recognize phishing attempts, especially those involving unexpected authentication requests or device codes.
– Enhanced Authentication Protocols: Implement multi-factor authentication methods that are resistant to phishing, such as hardware tokens or biometric verification.
– Monitoring and Response: Establish systems to detect unusual login activities and respond promptly to potential breaches.
– Application Control: Regularly review and manage third-party applications with access to M365 accounts, revoking permissions for any unrecognized or unnecessary apps.
By staying informed about evolving phishing techniques and implementing robust security practices, organizations can better protect their M365 accounts from unauthorized access.
