Microsoft 365 accounts increasingly hijacked via OAuth device code authorization abuse

Threat actors have ramped up phishing campaigns harnessing Microsoft's OAuth device code authorization flow to compromise Microsoft 365 accounts since September, according to Infosecurity Magazine. Malicious emails with document sharing, security verification, and token reauthorization lures included QR codes, hyperlinked text, and embedded buttons to commence the intrusion, which results in the generation of illicit device code that could allow attackers to obtain a valid access token for M365 accounts, a report from Proofpoint revealed. Device code phishing was noted to have been tapped by financially motivated threat operation TA2723 in an October attack that involved salary document impersonation, and by suspected Russian state-backed hacking group UNK_AcademicFlare in an intrusion aimed at U.S. and European government, transportation, and education organizations. Mounting device code phishing has been attributed to the SquarePhish2 framework and the free Graphish phishing kit. Implementation of FIDO-compliant MFA controls would only exacerbate the exploitation of OAuth authentication flows, said Proofpoint, which urged organizations to not only bolster OAuth controls but also warn users against inputting device codes from untrusted sources.