Multiple threat actors are exploiting OAuth device code authentication to compromise Microsoft 365 accounts through sophisticated phishing attacks. These campaigns involve tricking users into authorizing malicious applications without stealing passwords or bypassing MFA, with attacks increasing since September. #TA2723 #Graphish
Keypoints
- Threat actors use OAuth device code phishing to gain unauthorized access to Microsoft 365 accounts.
- Attackers trick victims into entering device codes on legitimate Microsoft login pages to authorize malicious apps.
- Tools like SquarePhish and Graphish simplify the phishing process and support various attack methods.
- High-volume campaigns target organizations with localized branding and convincing lures, including government sectors.
- Organizations are advised to implement Conditional Access policies to block these types of attacks.