**Microsoft 365 Users Targeted in Device Code Phishing Attacks**

Threat Actors Exploit OAuth 2.0 Vulnerability to Gain Control of Enterprise Accounts

In a worrying trend, attackers are targeting Microsoft 365 users with device code authorization phishing attacks, a technique that exploits the company's OAuth 2.0 authentication flow. This method fools users into approving access tokens, which, when entered, inadvertently grant attackers control of enterprise accounts.

According to Proofpoint, a cybersecurity firm that has been tracking this trend, the campaigns are being perpetrated by both state-aligned and financially-motivated threat actors. The attacks typically begin with an email sent from either an attacker-controlled or compromised email address, often containing a link or QR code that prompts users to click on it.

**The Lure: Salary-Themed Notifications and Benign Conversation Starters**

In two separate campaigns spotted by Proofpoint, attackers used salary-themed notifications as the initial lure. In another campaign, the initial message was a benign "conversation starter" email sent from a compromised Zambian government email address to an individual working for a US university.

**The Attack: Entering Device Codes and Granting Access**

Once users click on the link or scan the QR code, they are directed to an attacker-controlled website that mimics the legitimate Microsoft device authorization page (https://microsoft.com/devicelogin). The instructions are clear: request a one-time passcode or copy one provided by the attackers and enter it into the fake authorization page. Unbeknownst to users who are not familiar with this authentication flaw, they have thus allowed attackers to access and take control of their M365 account.

**Attackers' Tools: Squarephish, Graphish, and Azure App Registrations**

Proofpoint's threat researchers have identified that attackers are using red team tools such as Squarephish and SquarephishV2 to mitigate the short-lived nature of device codes. These tools enable larger campaigns than were previously possible. Attackers are also utilizing Graphish, a phishing kit being shared for free in hacking forums, which allows them to create convincing phishing pages by leveraging Azure App Registrations and reverse proxy setups.

**Protection Against Device Code Phishing Attacks**

Employees can be taught to recognize these types of attacks, but companies can also implement various defenses. Proofpoint advises creating Conditional Access policies using the Authentication Flows condition to block device code flow for all users. If blocking device code flow completely is not feasible, Conditional Access can be used to create an allow-list approach based on accepted use cases.

Additionally, organizations that use device registration or Intune can set up Conditional Access policies requiring Microsoft 365 sign-ins to originate from a compliant or registered device.

**Conclusion: OAuth Authentication Flows Under Attack**

Proofpoint assesses that the abuse of OAuth authentication flows will continue to grow with the adoption of FIDO compliant MFA controls. As threat actors become more sophisticated in exploiting these vulnerabilities, it is essential for companies and individuals to stay vigilant and take proactive measures to protect themselves against device code phishing attacks.

**Stay Up-to-Date: Subscribe to Our Breaking News E-Mail Alert**

Never miss out on the latest breaches, vulnerabilities, and cybersecurity threats by subscribing to our breaking news e-mail alert. Subscribe now!