Article Details

Microsoft 365 accounts targeted in wave of OAuth phishing attacks. Multiple threat actors are compromising Microsoft 365 accounts in phishing attacks that leverage the OAuth device code authorization mechanism. Attackers trick victims into entering a device code on Microsoft’s legitimate device login page, unknowingly authorizing an attacker-controlled application and granting them access to the target account without stealing credentials or bypassing multi-factor authentication (MFA). Although the method isn’t new, email security firm Proofpoint says that these attacks have increased significantly in volume since September, and involve both financially motivated cybercriminals like TA2723 and state-aligned threat actors. "Proofpoint Threat Research has observed multiple threat clusters using device code phishing to trick users into granting a threat actor access to their Microsoft 365 account," the security company warned, adding that widespread campaigns using these attack flows are "highly unusual." Tools and campaigns The attack chains that Proofpoint observed in the campaigns have slight variations, but they all involve tricking victims into entering a device code on Microsoft’s legitimate device login portals. In some cases, the device code is presented as a one-time password, while the lure can be a token re-authorization notification in others. The researchers observed two phishing kits used in the attacks, namely SquarePhish v1 and v2, and Graphish, which simplify the phishing process. SquarePhish is a publicly available red teaming tool that targets OAuth device grant authorization flows via QR codes, mimicking legitimate Microsoft MFA/TOTP setups. Graphish is a malicious phishing kit shared on underground forums, supporting OAuth abuse, Azure App Registrations, and adversary-in-the-middle (AiTM) attacks. Regarding the campaigns Proofpoint observed, the researchers highlighted three in the report:  To block these attacks, Proofpoint recommends that organizations use Microsoft Entra Conditional Access where possible and consider introducing a policy on sign-in origin. Break down IAM silos like Bitpanda, KnowBe4, and PathAI Broken IAM isn't just an IT problem - the impact ripples across your whole business. This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.