{"id":7174,"date":"2026-02-20T00:20:17","date_gmt":"2026-02-20T00:20:17","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7174"},"modified":"2026-02-20T00:20:17","modified_gmt":"2026-02-20T00:20:17","slug":"new-phishing-campaign-tricks-employees-into-bypassing-microsoft-365-mfa","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7174","title":{"rendered":"New phishing campaign tricks employees into bypassing Microsoft 365 MFA"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Another device code phishing campaign that abuses OAuth device registration to bypass multifactor authentication login protections has been discovered.<\/p>\n<p><a href=\"https:\/\/blog.knowbe4.com\/uncovering-the-sophisticated-phishing-campaign-bypassing-m365-mfa\" target=\"_blank\" rel=\"noopener\">Researchers at KnowBe4 say<\/a> the campaign is largely targeting North American businesses and professionals by tricking unwitting employees into clicking a link in an email from a threat actor.<\/p>\n<p>The message purports to be about a corporate electronic funds payment, a document about salary bonuses, a voicemail, or contains some other lure. It also includes a code for \u2018Secure Authorization\u2019 that the user is asked to enter when they click on the link, which takes them to a real Microsoft Office 365 login page.<\/p>\n<p>Victims think the message is legitimate, because the login page is legitimate, so enter the code. But unknown to the victim, it\u2019s actually the code for a device controlled by the threat actor. What the victim has done is issued an OAuth token granting the hacker\u2019s device access to their Microsoft account. From there, the hacker has access to everything the account allows the employee to use.<\/p>\n<p>Note that this isn\u2019t about credential theft, although if the attacker wants credentials, they can be stolen. It\u2019s about stealing the victim\u2019s OAuth access and refresh tokens for persistent access to their Microsoft account, including to applications such as Outlook, Teams, and OneDrive.\u00a0<\/p>\n<p>It works because certain sites, including Microsoft 365, use the OAuth 2.0 Device Authorization Grant process to allow the adding of devices to an account. It\u2019s similar to the way a home owner adds a smart TV to Netflix.<\/p>\n<p>KnowBe4 calls it a novel attack, although <a href=\"https:\/\/www.sans.org\/profiles\/dr-johannes-ullrich\" target=\"_blank\" rel=\"noopener\">Johannes Ullrich<\/a>, dean of research at the SANS Institute, called it \u201cold new.\u201d<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/17\/d\/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks.html\" target=\"_blank\" rel=\"noopener\">According to Trend Micro<\/a>, a threat actor dubbed Pawn Storm has been leveraging OAuth in phishing campaigns since as far back as 2015. <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/07\/08\/protecting-remote-workforce-application-attacks-consent-phishing\/\" target=\"_blank\" rel=\"noopener\">And in 2020, Microsoft warned users<\/a> about what it called \u2018consent phishing,\u2019 in which threat actors seek permission for an attacker-controlled app to access data by installing an OAuth 2.0 provider. Ullrich admitted a SANS employee fell for one of these phishing emails.<\/p>\n<p>The main defense against the latest version of this attack is to restrict the applications users are allowed to connect to their account, he said. Microsoft provides enterprise administrators with the ability to allowlist specific applications that the user may authorize via OAuth.<\/p>\n<p><a href=\"https:\/\/blog.knowbe4.com\/author\/roger-grimes\" target=\"_blank\" rel=\"noopener\">Roger Grimes<\/a>, CISO advisor at KnowBe4, <a href=\"https:\/\/blog.knowbe4.com\/watch-out-for-oauth-phishing-attacks-and-how-you-can-stay-safe\" target=\"_blank\" rel=\"noopener\">wrote about device code phishing in 2020<\/a>. In an interview Thursday, he said what\u2019s distinctive about the latest tactic is that the victim logs into a valid domain, and the goal is to get the user\u2019s device token.<\/p>\n<p>\u201cThe user\u2019s not doing anything wrong,\u201d in the sense that they are logging into a legitimate portal, he said. \u201cIf they look at the URL they\u2019re logging into, it\u2019s <em>microsoft.com<\/em>. But the attacker has pre-registered their device to get the code for [the victim] to verify.\u201d<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/dbshipley\/\" target=\"_blank\" rel=\"noopener\">David Shipley<\/a>, head of Canadian security awareness training provider Beauceron Security, said OAuth device code attacks have been gaining steam since 2024. \u201cIt\u2019s the natural evolutionary response to improvements in account security, particularly MFA\u201d, he said.\u00a0<\/p>\n<p>The easiest defense is to turn off the ability to add extra login devices to Office 365, unless it\u2019s needed, he said.<\/p>\n<p>In addition, employees should also be continuously educated about the risks of unusual login requests, even if they come from a familiar system.<\/p>\n<p>\u201cThe value of teaching people about new social engineering techniques like this, and doing phishing simulations based on these kinds of attack, is it gets people used to reporting them, which will help when real attacks are happening,\u201d he added.<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/corymichal\/\" target=\"_blank\" rel=\"noopener\">Cory\u00a0Michal<\/a>, CSO at AppOmni, said attacks often leverage OAuth tokens and service\/integration identities because they are a blind spot for many organizations that have invested heavily in identity hardening and multifactor authentication.<\/p>\n<p>\u201cOAuth tokens often operate as bearer credentials,\u201d he noted. \u201cIf an attacker obtains them, they can be used as a single-factor access method to act as the integration without triggering an interactive login or MFA challenge, and the activity can blend into normal API\/integration patterns.\u00a0In other words, strong MFA enforcement can coexist with a persistent exposure if non-human identities and OAuth token hygiene aren\u2019t governed and monitored with the same rigor.\u201d\u00a0<\/p>\n<p>He said\u00a0that IT leaders need to go beyond classic third-party vendor reviews, and actually inventory and audit the integrations running in their SaaS environments, determining which apps are connected, what OAuth scopes\/permissions they have, and whether they\u2019re still needed.\u00a0<\/p>\n<p>\u00a0\u201cMost teams have far more integrations than they realize, and many retain broad privileges long after the original business need,\u201d he pointed out.\u00a0<\/p>\n<p>\u201cIn parallel, we should raise the security bar for any SaaS vendor we rely on, [with] clear requirements around token security, logging, incident response, and secure integration patterns, and make sure our own tenant configurations and monitoring are hardened so integration activity is least-privilege, observable, and quickly containable when something upstream is compromised,\u201d Michal added.<\/p>\n<p>Grimes said that users can be educated to check how many devices are authorized to access their Microsoft, Google, and other login accounts. They should also be continually warned to be suspicious of email links that go to a login page.<\/p>\n<p><a href=\"https:\/\/blog.knowbe4.com\/what-is-device-code-phishing\" target=\"_blank\" rel=\"noopener\">In a blog about device code phishing<\/a>, he noted that Microsoft Entra administrators can disable \u201cdevice code flow\u201d in their conditional access policies. This disables all users of device codes for Entra, not just malicious users. This means users will have to log in and provide more information than just a device code, but it will better protect an IT environment from this type of phishing attack.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Another device code phishing campaign that abuses OAuth device registration to bypass multifactor authentication login protections has been discovered. Researchers at KnowBe4 say the campaign is largely targeting North American businesses and professionals by tricking unwitting employees into clicking a link in an email from a threat actor. The message purports to be about a [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7175,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7174","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7174"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7174"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7174\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7175"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}