This threat campaign involves phishing attacks that exploit the OAuth 2.0 device authorization grant flow to gain unauthorized access to Microsoft 365 accounts. Unlike traditional credential phishing, attackers send users a URL that initiates the OAuth device code authorization process, a legitimate Microsoft mechanism designed for devices with limited input capabilities. Users are tricked into approving malicious applications requesting access to their accounts. Once authorized, attackers gain OAuth tokens that allow them to access email, files, and other resources without needing passwords. The campaign is facilitated by phishing tools like SquarePhish2 and Graphish, which automate the attack sequence and help bypass traditional security controls. Multiple threat clusters, including financially motivated cybercriminals and state-aligned groups such as Russia-aligned TA2723, are actively using this technique. The attackers leverage a variety of malicious domains and URLs that impersonate legitimate Microsoft or file-sharing services to increase the likelihood of user interaction. The attack chain begins with a phishing message containing a URL, leading to the OAuth device code approval prompt. Because the process uses legitimate Microsoft OAuth flows, it is difficult for security solutions to detect based solely on network traffic or authentication logs. The compromised accounts can be used for data exfiltration, lateral movement, and further compromise within the victim organization. The campaign does not rely on exploiting software vulnerabilities but rather on social engineering and abusing OAuth protocols. No known CVEs or exploits in the wild are associated with this technique, but the impact on confidentiality and integrity is high. The attack requires user interaction to approve the OAuth permissions, which is a critical factor in the attack's success. The medium severity rating reflects the balance between the attack's impact and the required user involvement.

European organizations using Microsoft 365 and related cloud services face significant risks from this threat. Successful account takeovers can lead to unauthorized access to sensitive emails, documents, and collaboration platforms, resulting in data breaches and intellectual property theft. The use of OAuth tokens allows attackers to bypass traditional password-based defenses and multi-factor authentication if not properly configured. This can disrupt business operations, damage reputations, and cause regulatory compliance issues under GDPR due to data exposure. Financially motivated actors may use compromised accounts for fraud or ransomware deployment, while state-aligned actors could conduct espionage or sabotage. The difficulty in detecting these attacks due to their use of legitimate authorization flows increases the risk of prolonged undetected access. Organizations with remote workforces and heavy reliance on cloud collaboration tools are especially vulnerable. The threat also poses risks to supply chains and partners connected via Microsoft 365. Overall, the impact on confidentiality and integrity is high, with potential availability impacts if attackers deploy destructive payloads after initial access.

1. Implement conditional access policies in Microsoft 365 to restrict OAuth app consent to trusted applications only and require admin approval for new app consents. 2. Enable and enforce multi-factor authentication (MFA) with modern authentication methods that include device and location risk assessments to detect anomalous OAuth token requests. 3. Educate users about the risks of OAuth phishing and train them to recognize suspicious authorization prompts, especially those initiated via unsolicited links. 4. Monitor OAuth consent logs and Azure AD sign-in logs for unusual patterns, such as new app approvals or device code authorizations from unexpected locations or devices. 5. Use Microsoft Defender for Identity and Cloud App Security to detect and respond to suspicious OAuth token usage and lateral movement. 6. Block or monitor known malicious domains and URLs associated with this campaign using DNS filtering and web proxies. 7. Regularly review and revoke OAuth app permissions that are no longer needed or appear suspicious. 8. Implement least privilege access principles to limit the scope of OAuth app permissions where possible. 9. Employ advanced phishing protection tools that can analyze URLs and OAuth flows for malicious intent. 10. Coordinate with threat intelligence providers to stay updated on emerging indicators and tactics related to this threat.