Executive Summary

A sophisticated and rapidly evolving wave of phishing attacks is currently targeting Microsoft 365 accounts by exploiting the OAuth device code authorization flow. This attack vector, first observed in the wild in late summer 2024, enables adversaries to bypass both traditional credential theft defenses and multi-factor authentication (MFA) controls. The campaigns are orchestrated by a mix of financially motivated and state-aligned threat actors, including groups such as TA2723 and Storm-2372/UNK_AcademicFlare. These actors leverage advanced phishing kits like SquarePhish and Graphish to automate and scale their operations, resulting in persistent unauthorized access to sensitive organizational data. The attacks are notable for their use of legitimate Microsoft infrastructure, which increases their success rate and complicates detection and response. All organizations utilizing Microsoft 365 services with OAuth device code flow enabled are at risk, regardless of their specific product version or sector.

Threat Actor Profile

The current wave of OAuth phishing attacks is attributed to a diverse set of threat actors. TA2723 is a financially motivated group known for high-volume credential phishing campaigns, previously impersonating services such as OneDrive, LinkedIn, and DocuSign. This group has now pivoted to OAuth device code phishing, initially using SquarePhish2 and later adopting the more advanced Graphish kit. In parallel, Storm-2372/UNK_AcademicFlare is a suspected Russian state-aligned actor targeting government, academic, think tank, and transportation sectors across the United States and Europe. This actor is characterized by rapport-building emails that precede the phishing attempt, increasing the likelihood of user compliance. Both groups are highly adaptive, leveraging open-source and underground phishing kits, and are capable of rapidly shifting their tactics in response to defensive measures.

Technical Analysis of Malware/TTPs

The attack chain begins with a phishing email that mimics legitimate business communications, such as document-sharing notifications, salary bonus offers, or requests for token re-authorization. These emails are often crafted with localized company branding and may originate from previously compromised government or military accounts, lending additional credibility. The email instructs the recipient to visit the legitimate Microsoft device login page (https://microsoft.com/devicelogin) and enter a unique device code provided in the message. This process is designed to appear as a routine security or MFA step.

Upon entering the device code, the victim is prompted to grant OAuth permissions to an attacker-controlled application. This application is registered in Azure Active Directory (now Microsoft Entra ID) and requests access scopes that may include reading emails, accessing files, and sending messages on behalf of the user. Once consent is granted, the attacker receives a valid OAuth token, enabling persistent access to the victim’s Microsoft 365 account without the need for credentials or MFA bypass.

The phishing kits used in these campaigns, such as SquarePhish and Graphish, automate the generation of device codes and the orchestration of phishing emails. SquarePhish is a publicly available red teaming tool that targets OAuth device grant flows and often incorporates QR codes to mimic legitimate MFA or TOTP setups. Graphish is a more advanced kit found on underground forums, supporting OAuth abuse, Azure App Registrations, and adversary-in-the-middle (AiTM) attacks. Some campaigns also utilize Tycoon, a Phishing-as-a-Service (PhaaS) platform capable of proxying login pages and intercepting session tokens in real time.

The technical sophistication of these attacks is further enhanced by the use of legitimate Microsoft infrastructure for the OAuth flow, making it extremely difficult for users and security controls to distinguish malicious activity from normal operations. Attackers may also manipulate MFA settings post-compromise, such as adding new security methods, to maintain persistence.

Exploitation in the Wild

Since August/September 2024, there has been a marked increase in the volume and sophistication of OAuth device code phishing attacks targeting Microsoft 365 users. The campaigns have affected a wide range of sectors, including government, NGOs, academia, transportation, energy, defense, IT, telecommunications, health, and private enterprises. Notably, the attacks have been successful in bypassing MFA and achieving persistent access, with some campaigns reporting success rates exceeding 50%.

Threat actors have demonstrated the ability to scale their operations rapidly, leveraging compromised accounts to launch further phishing waves within targeted organizations and their partners. The use of attacker-controlled Azure App Registrations and the abuse of legitimate OAuth flows have enabled these actors to evade traditional detection mechanisms, such as credential-based anomaly detection and MFA enforcement.

Observed phishing lures include document sharing, salary bonuses, MFA re-authorization, business contract agreements, and requests for quotes (RFQ). In several cases, attackers have used rapport-building techniques, such as extended email conversations, to increase the likelihood of user compliance. The attacks are not limited to a specific geography, with confirmed incidents in the United States, Europe, and other regions.

Victimology and Targeting

The primary targets of these campaigns are organizations and individuals with access to sensitive data or critical infrastructure. Sectors most affected include government agencies, non-governmental organizations, academic institutions, transportation and logistics companies, energy providers, defense contractors, IT and telecommunications firms, and healthcare organizations. Within these sectors, high-value individuals such as executives, IT administrators, and finance personnel are frequently targeted due to their elevated access privileges.

Geographically, the attacks have been concentrated in the United States and Europe, with a particular focus on entities involved in government, academia, and critical infrastructure. However, the global nature of Microsoft 365 adoption means that organizations in other regions are also at risk. The use of compromised accounts to launch further phishing campaigns within and across organizations increases the potential impact and reach of these attacks.

Mitigation and Countermeasures

To defend against OAuth device code phishing attacks, organizations should implement a multi-layered security strategy. Microsoft Entra Conditional Access policies should be enforced to restrict OAuth app consent and limit sign-in origins. Regular audits of Azure App Registrations are essential to identify and restrict third-party app permissions, ensuring that only trusted applications have access to sensitive data.

User awareness training is critical. Employees should be educated to recognize device code phishing lures and to verify all MFA or re-authorization requests, especially those received via email. Incident response teams must be prepared to investigate suspicious OAuth consents and revoke unauthorized app tokens immediately. The adoption of FIDO-based physical security keys can provide phishing-resistant authentication and further reduce the risk of compromise.

Where possible, organizations should consider disabling the device code flow in Microsoft Entra ID unless it is absolutely necessary for business operations. Email and web security solutions should be configured to block and monitor malicious email threats, and to isolate potentially malicious sessions initiated from email links. Continuous monitoring for anomalous OAuth activity, such as unusual app consents or access patterns, can provide early warning of compromise.

References

BleepingComputer: Microsoft 365 accounts targeted in wave of OAuth phishing attacks, Proofpoint Threat Insight: Microsoft OAuth App Impersonation Campaign, Microsoft Security Blog: Storm-2372 conducts device code phishing campaign, InfoSecurity Magazine: OAuth Device Code Phishing Campaigns Surge, Reddit: 365 account compromise bypassing MFA.

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats, ensuring the resilience and integrity of your business operations.

We are happy to answer any questions at ops@rescana.com.