Access granted: phishing with device code authorization for account takeover
Threat actors, including state-aligned and financially motivated groups, are exploiting the OAuth 2. 0 device authorization grant flow to phish Microsoft 365 users into granting access to their accounts. Using phishing campaigns that start with malicious URLs, attackers trick users into approving OAuth device code authorizations, enabling account takeover without needing credentials directly. Tools such as SquarePhish2 and Graphish facilitate these attacks. The compromised accounts can lead to data exfiltration and further network compromises. Russia-aligned actors are notably active in these campaigns. The attack leverages legitimate Microsoft device authorization processes, making detection challenging. Indicators include numerous malicious domains and URLs mimicking legitimate services. This threat requires user interaction to approve OAuth permissions, but no direct credential theft is necessary. The severity is medium due to the complexity and user involvement required, but the impact on confidentiality and integrity is significant.
AI Analysis
Technical Summary
This threat campaign involves phishing attacks that exploit the OAuth 2.0 device authorization grant flow to gain unauthorized access to Microsoft 365 accounts. Unlike traditional credential phishing, attackers send users a URL that initiates the OAuth device code authorization process, a legitimate Microsoft mechanism designed for devices with limited input capabilities. Users are tricked into approving malicious applications requesting access to their accounts. Once authorized, attackers gain OAuth tokens that allow them to access email, files, and other resources without needing passwords. The campaign is facilitated by phishing tools like SquarePhish2 and Graphish, which automate the attack sequence and help bypass traditional security controls. Multiple threat clusters, including financially motivated cybercriminals and state-aligned groups such as Russia-aligned TA2723, are actively using this technique. The attackers leverage a variety of malicious domains and URLs that impersonate legitimate Microsoft or file-sharing services to increase the likelihood of user interaction. The attack chain begins with a phishing message containing a URL, leading to the OAuth device code approval prompt. Because the process uses legitimate Microsoft OAuth flows, it is difficult for security solutions to detect based solely on network traffic or authentication logs. The compromised accounts can be used for data exfiltration, lateral movement, and further compromise within the victim organization. The campaign does not rely on exploiting software vulnerabilities but rather on social engineering and abusing OAuth protocols. No known CVEs or exploits in the wild are associated with this technique, but the impact on confidentiality and integrity is high. The attack requires user interaction to approve the OAuth permissions, which is a critical factor in the attack's success. The medium severity rating reflects the balance between the attack's impact and the required user involvement.
Potential Impact
European organizations using Microsoft 365 and related cloud services face significant risks from this threat. Successful account takeovers can lead to unauthorized access to sensitive emails, documents, and collaboration platforms, resulting in data breaches and intellectual property theft. The use of OAuth tokens allows attackers to bypass traditional password-based defenses and multi-factor authentication if not properly configured. This can disrupt business operations, damage reputations, and cause regulatory compliance issues under GDPR due to data exposure. Financially motivated actors may use compromised accounts for fraud or ransomware deployment, while state-aligned actors could conduct espionage or sabotage. The difficulty in detecting these attacks due to their use of legitimate authorization flows increases the risk of prolonged undetected access. Organizations with remote workforces and heavy reliance on cloud collaboration tools are especially vulnerable. The threat also poses risks to supply chains and partners connected via Microsoft 365. Overall, the impact on confidentiality and integrity is high, with potential availability impacts if attackers deploy destructive payloads after initial access.
Mitigation Recommendations
1. Implement conditional access policies in Microsoft 365 to restrict OAuth app consent to trusted applications only and require admin approval for new app consents. 2. Enable and enforce multi-factor authentication (MFA) with modern authentication methods that include device and location risk assessments to detect anomalous OAuth token requests. 3. Educate users about the risks of OAuth phishing and train them to recognize suspicious authorization prompts, especially those initiated via unsolicited links. 4. Monitor OAuth consent logs and Azure AD sign-in logs for unusual patterns, such as new app approvals or device code authorizations from unexpected locations or devices. 5. Use Microsoft Defender for Identity and Cloud App Security to detect and respond to suspicious OAuth token usage and lateral movement. 6. Block or monitor known malicious domains and URLs associated with this campaign using DNS filtering and web proxies. 7. Regularly review and revoke OAuth app permissions that are no longer needed or appear suspicious. 8. Implement least privilege access principles to limit the scope of OAuth app permissions where possible. 9. Employ advanced phishing protection tools that can analyze URLs and OAuth flows for malicious intent. 10. Coordinate with threat intelligence providers to stay updated on emerging indicators and tactics related to this threat.
Affected Countries
United Kingdom, Germany, France, Netherlands, Italy, Spain, Poland, Sweden
Indicators of Compromise
- url: https://clientlogin.blitzcapital.net/
- ip: 196.251.80.184
- url: https://portal.msprogresssharefile.cloud/
- url: https://sharefile.progressivesharepoint.top/
- domain: acxioswan.com
- domain: acxishare.com
- domain: bluecubecapital.com
- domain: collabodex.com
- domain: confidentfiles.com
- domain: docifytoday.com
- domain: filetix.com
- domain: infoldium.com
- domain: magnavite.com
- domain: myfilepass.com
- domain: nebulafiles.com
- domain: novodocument.com
- domain: renewauth.com
- domain: spacesdocs.com
- domain: vaultally.com
- domain: vxhwuulcnfzlfmh.live
- domain: xgjtvyptrjlsosv.live
- email: no-reply.doc333@ksmus.virtoshare.com
- domain: 97d7e46b-1bff-4f24-b262-8b0b3914d88a.us5.azurecomm.net
- domain: clientlogin.blitzcapital.net
- domain: portal.msprogresssharefile.cloud
- domain: sharefile.progressivesharepoint.top
- domain: www.myfilepass.com
- domain: www.renewauth.com
- domain: www.vaultaliy.com
Access granted: phishing with device code authorization for account takeover
Description
Threat actors, including state-aligned and financially motivated groups, are exploiting the OAuth 2. 0 device authorization grant flow to phish Microsoft 365 users into granting access to their accounts. Using phishing campaigns that start with malicious URLs, attackers trick users into approving OAuth device code authorizations, enabling account takeover without needing credentials directly. Tools such as SquarePhish2 and Graphish facilitate these attacks. The compromised accounts can lead to data exfiltration and further network compromises. Russia-aligned actors are notably active in these campaigns. The attack leverages legitimate Microsoft device authorization processes, making detection challenging. Indicators include numerous malicious domains and URLs mimicking legitimate services. This threat requires user interaction to approve OAuth permissions, but no direct credential theft is necessary. The severity is medium due to the complexity and user involvement required, but the impact on confidentiality and integrity is significant.
AI-Powered Analysis
Technical Analysis
This threat campaign involves phishing attacks that exploit the OAuth 2.0 device authorization grant flow to gain unauthorized access to Microsoft 365 accounts. Unlike traditional credential phishing, attackers send users a URL that initiates the OAuth device code authorization process, a legitimate Microsoft mechanism designed for devices with limited input capabilities. Users are tricked into approving malicious applications requesting access to their accounts. Once authorized, attackers gain OAuth tokens that allow them to access email, files, and other resources without needing passwords. The campaign is facilitated by phishing tools like SquarePhish2 and Graphish, which automate the attack sequence and help bypass traditional security controls. Multiple threat clusters, including financially motivated cybercriminals and state-aligned groups such as Russia-aligned TA2723, are actively using this technique. The attackers leverage a variety of malicious domains and URLs that impersonate legitimate Microsoft or file-sharing services to increase the likelihood of user interaction. The attack chain begins with a phishing message containing a URL, leading to the OAuth device code approval prompt. Because the process uses legitimate Microsoft OAuth flows, it is difficult for security solutions to detect based solely on network traffic or authentication logs. The compromised accounts can be used for data exfiltration, lateral movement, and further compromise within the victim organization. The campaign does not rely on exploiting software vulnerabilities but rather on social engineering and abusing OAuth protocols. No known CVEs or exploits in the wild are associated with this technique, but the impact on confidentiality and integrity is high. The attack requires user interaction to approve the OAuth permissions, which is a critical factor in the attack's success. The medium severity rating reflects the balance between the attack's impact and the required user involvement.
Potential Impact
European organizations using Microsoft 365 and related cloud services face significant risks from this threat. Successful account takeovers can lead to unauthorized access to sensitive emails, documents, and collaboration platforms, resulting in data breaches and intellectual property theft. The use of OAuth tokens allows attackers to bypass traditional password-based defenses and multi-factor authentication if not properly configured. This can disrupt business operations, damage reputations, and cause regulatory compliance issues under GDPR due to data exposure. Financially motivated actors may use compromised accounts for fraud or ransomware deployment, while state-aligned actors could conduct espionage or sabotage. The difficulty in detecting these attacks due to their use of legitimate authorization flows increases the risk of prolonged undetected access. Organizations with remote workforces and heavy reliance on cloud collaboration tools are especially vulnerable. The threat also poses risks to supply chains and partners connected via Microsoft 365. Overall, the impact on confidentiality and integrity is high, with potential availability impacts if attackers deploy destructive payloads after initial access.
Mitigation Recommendations
1. Implement conditional access policies in Microsoft 365 to restrict OAuth app consent to trusted applications only and require admin approval for new app consents. 2. Enable and enforce multi-factor authentication (MFA) with modern authentication methods that include device and location risk assessments to detect anomalous OAuth token requests. 3. Educate users about the risks of OAuth phishing and train them to recognize suspicious authorization prompts, especially those initiated via unsolicited links. 4. Monitor OAuth consent logs and Azure AD sign-in logs for unusual patterns, such as new app approvals or device code authorizations from unexpected locations or devices. 5. Use Microsoft Defender for Identity and Cloud App Security to detect and respond to suspicious OAuth token usage and lateral movement. 6. Block or monitor known malicious domains and URLs associated with this campaign using DNS filtering and web proxies. 7. Regularly review and revoke OAuth app permissions that are no longer needed or appear suspicious. 8. Implement least privilege access principles to limit the scope of OAuth app permissions where possible. 9. Employ advanced phishing protection tools that can analyze URLs and OAuth flows for malicious intent. 10. Coordinate with threat intelligence providers to stay updated on emerging indicators and tactics related to this threat.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover"]
- Adversary
- TA2723
- Pulse Id
- 6944016f98d9890c84fedb47
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://clientlogin.blitzcapital.net/ | — | |
urlhttps://portal.msprogresssharefile.cloud/ | — | |
urlhttps://sharefile.progressivesharepoint.top/ | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip196.251.80.184 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainacxioswan.com | — | |
domainacxishare.com | — | |
domainbluecubecapital.com | — | |
domaincollabodex.com | — | |
domainconfidentfiles.com | — | |
domaindocifytoday.com | — | |
domainfiletix.com | — | |
domaininfoldium.com | — | |
domainmagnavite.com | — | |
domainmyfilepass.com | — | |
domainnebulafiles.com | — | |
domainnovodocument.com | — | |
domainrenewauth.com | — | |
domainspacesdocs.com | — | |
domainvaultally.com | — | |
domainvxhwuulcnfzlfmh.live | — | |
domainxgjtvyptrjlsosv.live | — | |
domain97d7e46b-1bff-4f24-b262-8b0b3914d88a.us5.azurecomm.net | — | |
domainclientlogin.blitzcapital.net | — | |
domainportal.msprogresssharefile.cloud | — | |
domainsharefile.progressivesharepoint.top | — | |
domainwww.myfilepass.com | — | |
domainwww.renewauth.com | — | |
domainwww.vaultaliy.com | — |
| Value | Description | Copy |
|---|---|---|
emailno-reply.doc333@ksmus.virtoshare.com | — |
Threat ID: 6944242b4eb3efac36964678
Added to database: 12/18/2025, 3:56:27 PM
Last enriched: 12/18/2025, 4:12:27 PM
Last updated: 12/19/2025, 3:22:33 AM
Views: 30
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Lazarus Group Embed New BeaverTail Variant in Developer Tools
MediumIranian APT ‘Prince of Persia’ Resurfaces With New Tools and Global Targets
MediumParked Domains Become Weapons with Direct Search Advertising
MediumUAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager
MediumBlueDelta’s Persistent Campaign Against UKR.NET
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.