Attackers Phish OAuth Codes, Take Over Microsoft 365 Accounts
A recent surge in phishing attacks has seen attackers successfully take over Microsoft 365 (M365) accounts by exploiting OAuth codes, leaving many organizations on high alert. Suspected Russian threat actors are behind the campaign, which uses a combination of social engineering and phishing tactics to gain access to victims' M365 accounts.
The primary tactic observed involves the attacker requesting a victim's supply of Microsoft Authorization codes, which grant the attacker with account access to Entra ID (previously Azure AD), and to download emails and other account-related data. According to Volexity researchers, these attacks rely heavily on one-on-one interaction with the target, as the threat actor must both convince them to click a link and send back a Microsoft-generated code.
The attackers have been impersonating officials from various European nations and Ukraine, reaching out to victims through messaging apps like Signal or WhatsApp. They would invite the victim to join a video call about the war in Ukraine, claiming it's an important matter that requires their attention. Once the victim replies, the attacker sends a link that leads to a real Microsoft login page.
The link appears to be legitimate, and when the victim logs in with their M365 account credentials, Microsoft provides them with an OAuth code or a specific URL. The attacker then asks the victim to send them this code or URL. If the victim shares it, the attacker can use it to log into the victim's Microsoft 365 account and access their emails and files.
The researchers observed several variations of the attack, but social engineering played a crucial role in all of them. Targets had to be tricked into logging in, sending codes back to the attackers, and in one campaign, approving a two-factor authentication request after the attacker registers their device to the victim's Microsoft Entra ID tenant.
The campaigns were spotted in March 2025 and targeted human rights non-governmental organizations and organizations providing humanitarian aid. Volexity could not tie these campaigns to specific government-sponsored hacking groups, but they suspect that there are overlaps between these threat actors and those who conducted Device Code Authentication phishing campaigns earlier this year.
“Similar to the Device Code Authentication phishing campaigns … , these recent campaigns benefit from all user interactions taking place on Microsoft’s official infrastructure; there is no attacker-hosted infrastructure used in these attacks,” they noted. “Similarly, these attacks do not involve malicious or attacker-controlled OAuth applications for which the user must explicitly grant access (and thus could easily be blocked by organizations). The use of Microsoft first-party applications that already have consent granted has proven to make prevention and detection of this technique rather difficult.”
How to Prevent and Detect These Attacks
Volexity has provided helpful advice for preventing and detecting these attacks. However, staff- and cash-strapped organizations might have trouble implementing these measures.
To protect yourself from these types of attacks, ensure you are using strong passwords and enabling two-factor authentication on your M365 account. Regularly review the emails sent to you by Microsoft and be cautious of any requests for OAuth codes or URLs that appear suspicious. Keep your software up-to-date, especially Microsoft Office and Visual Studio Code, as these applications have been targeted in recent phishing campaigns.
By being aware of these tactics and taking steps to prevent them, you can significantly reduce the risk of falling victim to an OAuth code phishing attack.
Stay Safe Online
Subscribing to our breaking news e-mail alert ensures that you never miss out on the latest breaches, vulnerabilities, and cybersecurity threats. Stay informed and stay safe online!