Microsoft 365 Users Hit by Sneaky Device Code Phishing
▼ Summary
– Attackers are using device code authorization phishing to trick Microsoft 365 users into granting access tokens, bypassing multi-factor authentication.
– The campaigns start with phishing emails containing lures like salary notifications, directing users to enter a code on a legitimate Microsoft page via a fake, branded website.
– Threat actors use tools like Squarephish and Graphish to automate these attacks, making them easier to execute and more scalable.
– Organizations can mitigate these attacks by using Conditional Access policies to block or restrict the device code authentication flow.
– Proofpoint warns that the abuse of OAuth authentication flows is a growing trend and will likely increase as more organizations adopt advanced MFA.
A sophisticated phishing campaign is targeting Microsoft 365 users by exploiting a legitimate authentication feature, allowing attackers to bypass multi-factor security measures. Security researchers have identified a sharp rise in attacks using the device code authorization grant flow, a method that tricks users into handing over account access. This represents a significant evolution in cyber threats, moving beyond simple credential theft to directly subverting modern authentication protocols.
Both state-aligned and financially motivated groups are launching these campaigns. They typically begin with a deceptive email, often sent from compromised or spoofed addresses. The lures are designed to prompt immediate action, urging the target to click a link or scan a QR code. Recent examples have used enticing subjects like salary notifications or seemingly harmless conversation starters from compromised government accounts.
The critical step occurs when the victim is directed to a fraudulent website, cleverly branded to look like their own company’s portal. There, they receive instructions to obtain a one-time code and enter it on the legitimate Microsoft device login page. Unaware users who comply inadvertently grant the attacker an access token for their Microsoft 365 account, providing full control without their password.
Attackers are leveraging readily available red team tools to scale these operations. Tools like Squarephish and its successor help manage the short lifespan of device codes, enabling larger, more sustained campaigns. Another kit, known as Graphish, is being shared freely in hacking forums. It allows even low-skilled threat actors to create convincing phishing pages by abusing Azure App Registrations and setting up reverse proxies for adversary-in-the-middle attacks. This tool includes guidance on bypassing organizational restrictions by verifying the malicious application within Azure, significantly increasing its success rate against enterprise accounts.
For protection, user awareness is crucial, but technical controls provide a stronger defense. The most effective mitigation is to implement a Conditional Access policy that blocks the device code flow for all users. Administrators can first test this policy in report-only mode to assess its impact on their environment. If a complete block is not feasible, organizations can adopt an allow-list approach, permitting device code authentication only for specific, approved users, operating systems, or trusted IP ranges.
Additionally, companies using device management solutions like Intune can enforce policies that require Microsoft 365 sign-ins to originate only from compliant or registered devices. As organizations increasingly adopt advanced MFA controls like FIDO security keys, experts anticipate that the abuse of these OAuth authentication flows will continue to grow, making proactive defense configuration more important than ever.
(Source: HelpNet Security)
