{"id":6297,"date":"2025-12-22T11:23:14","date_gmt":"2025-12-22T11:23:14","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6297"},"modified":"2025-12-22T11:23:14","modified_gmt":"2025-12-22T11:23:14","slug":"hackers-exploit-microsoft-oauth-device-codes-to-hijack-enterprise-accounts","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6297","title":{"rendered":"Hackers exploit Microsoft OAuth device codes to hijack enterprise accounts"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Cybercriminals and state-sponsored hackers are increasingly exploiting Microsoft\u2019s legitimate OAuth 2.0 device authorization process to hijack enterprise accounts, bypassing multifactor authentication protections and gaining persistent access to sensitive organizational data, a report said.<\/p>\n

Researchers at Proofpoint tracked multiple threat clusters \u2014 both financially motivated and state-aligned \u2014 that were using device code phishing techniques to trick users into granting unauthorized access to their Microsoft 365 accounts. The campaigns have surged since September 2025, representing a significant shift from limited, targeted attacks to widespread exploitation.<\/p>\n

\u201cWhile this is not necessarily a novel technique, it is notable to see it used increasingly by multiple threat clusters,\u201d the Proofpoint Threat Research Team wrote in a blog post<\/a>.<\/p>\n

The tactic represents an evolution of techniques that financially motivated groups used earlier this year<\/a> to breach Salesforce environments at Google<\/a>, Qantas, and luxury brands through similar OAuth abuse, affecting hundreds of organizations. Those Salesforce attacks, which began in June 2025, used voice phishing. The current wave drops the phone calls for email-based social engineering, making attacks easier to scale.<\/p>\n

A legitimate process turned malicious<\/h2>\n

The attacks abuse OAuth\u2019s device authorization flow, which was designed for authenticating on input-constrained devices like smart TVs and IoT devices. Threat actors, according to the blog post, initiate the legitimate Microsoft device authorization process, then trick victims into entering the generated device code \u2014 disguised as a one-time password \u2014 at Microsoft\u2019s own verification URL.<\/p>\n

\u201cThe lures typically claim that the device code is an OTP and direct the user to input the code at Microsoft\u2019s verification URL,\u201d the researchers wrote. \u201cOnce the user inputs the code, the original token is validated, giving the threat actor access to the targeted M365 account.\u201d<\/p>\n

Successful attacks enable account takeover, data exfiltration, lateral movement within networks, and establishment of persistent access to corporate resources. In some cases, stolen data becomes the basis for extortion attempts, as ShinyHunters demonstrated<\/a> in its Salesforce campaigns.<\/p>\n

Tools of the trade<\/h2>\n

What\u2019s driving the surge is the availability of tools that make these attacks easy to execute. Proofpoint identified two primary kits: SquarePhish2 and Graphish.<\/p>\n

SquarePhish2 is an updated version of a tool originally published by Dell Secureworks<\/a> in 2022. It automates the OAuth Device Grant Authorization flow and integrates QR code functionality.<\/p>\n

The Graphish phishing kit, shared on vetted criminal hacking forums, enables the creation of convincing phishing pages leveraging Azure App Registrations and adversary-in-the-middle attack capabilities. \u201cThe tool is designed to be user-friendly and does not require advanced technical expertise, lowering the barrier for entry and enabling even low-skilled threat actors to conduct sophisticated phishing campaigns,\u201d the Proofpoint researchers wrote in the blog.<\/p>\n

These tools help attackers overcome a key limitation: device codes are typically short-lived. The automation enables larger-scale campaigns than were previously possible.<\/p>\n

State actors join cybercriminals<\/h2>\n

Since January 2025, Proofpoint has tracked multiple state-aligned threat actors abusing OAuth device code authorization for account takeover, representing a concerning evolution in espionage tradecraft.<\/p>\n

\u201cThis technique has been most widely used by Russia-aligned threat actors,\u201d the researchers noted, citing prior reporting by security firm Volexity<\/a>. Proofpoint also observed suspected China-aligned activity and other unattributed espionage campaigns.<\/p>\n

One group, Proofpoint tracks as UNK_AcademicFlare, has been conducting device code phishing since at least September 2025. The suspected Russia-aligned actor uses compromised email addresses from government and military organizations to target entities in government, think tanks, higher education, and transportation sectors across the US and Europe.<\/p>\n

UNK_AcademicFlare typically conducts patient rapport building via benign outreach before launching device code phishing attempts. The group uses compromised accounts to arrange fictitious meetings or interviews, then shares malicious links to Cloudflare Worker URLs spoofing OneDrive accounts.<\/p>\n

Volexity researchers documented similar tactics in recent campaigns<\/a> where Russian actors created fake websites masquerading as legitimate European security conferences to trick attendees into granting OAuth access.<\/p>\n

Widespread campaigns target financial lures<\/h2>\n

Financially motivated threat actors have also embraced device code phishing. Proofpoint highlighted activity from TA2723, a high-volume credential phishing actor known for campaigns spoofing Microsoft OneDrive, LinkedIn, and DocuSign.<\/p>\n

Beginning in October 2025, TA2723 launched campaigns using salary and benefits-themed lures. One campaign used email messages purporting to contain documents titled \u201cOCTOBER_SALARY_AMENDED\u201d and \u201cSalary Bonus + Employer Benefits Reports 25.\u201d<\/p>\n

The messages directed recipients to URLs that ultimately led to device code authorization pages where victims were tricked into generating and entering one-time passcodes. Proofpoint researchers suspect TA2723 used both SquarePhish2 and Graphish tools across different campaign waves.<\/p>\n

The 2025 ShinyHunters campaign demonstrated the potential damage. In a separate but related OAuth abuse incident<\/a>, threat actors exploited OAuth tokens stolen from the Salesloft\/Drift integration to access Salesforce instances at hundreds of organizations. Companies, including Cloudflare, Zscaler, and Tenable, publicly disclosed unauthorized access to data, triggering breach notification requirements.<\/p>\n

Proofpoint recommended organizations create Conditional Access policies to block device code flow entirely or implement allow-lists for approved users and IP ranges. \u201cTraditional phishing awareness often emphasizes checking URLs for legitimacy. This approach does not effectively address device code phishing, where users are prompted to enter a device code on the trusted Microsoft portal,\u201d the researchers wrote.<\/p>\n

Microsoft did not respond to a request for comment on the findings.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Cybercriminals and state-sponsored hackers are increasingly exploiting Microsoft\u2019s legitimate OAuth 2.0 device authorization process to hijack enterprise accounts, bypassing multifactor authentication protections and gaining persistent access to sensitive organizational data, a report said. Researchers at Proofpoint tracked multiple threat clusters \u2014 both financially motivated and state-aligned \u2014 that were using device code phishing techniques to […]<\/p>\n","protected":false},"author":0,"featured_media":6298,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6297","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6297"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6297"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6297\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6298"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6297"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6297"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6297"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}