New phishing campaign tricks employees into bypassing Microsoft 365 MFA
Unwitting employees register a hacker’s device to their account; the crook then uses the resulting OAuth tokens to maintain persistent access.
Another device code phishing campaign that abuses OAuth device registration to bypass multi-factor authentication login protections has been discovered.
Researchers say the campaign is largely targeting North American businesses and professionals by tricking unwitting employees into clicking a link in an email from a threat actor.
The message purports to be about a corporate electronic funds payment, a document about salary bonuses, a voicemail, or contains some other lure. It also includes a code for ‘Secure Authorization’ that the user is asked to enter when they click on the link, which takes them to a real Microsoft Office 365 login page.
David Shipley, head of Canadian security awareness training provider Beauceron Security, said OAuth device code attacks have been gaining steam since 2024. “It’s the natural evolutionary response to improvements in account security, particularly MFA”, he said.
The easiest defense is to turn off the ability to add extra login devices to Office 365, unless it’s needed, he said.
In addition, employees should also be continuously educated about the risks of unusual login requests, even if they come from a familiar system.
“The value of teaching people about new social engineering techniques like this, and doing phishing simulations based on these kinds of attack, is it gets people used to reporting them, which will help when real attacks are happening,” he added.
Read the Full Story at CSO Online