The Microsoft OAuth Device Code phishing campaign abuses the OAuth 2.0 Device Authorization Grant flow, a legitimate authentication mechanism designed for devices with limited input capabilities. Attackers craft phishing URLs that initiate the device authorization process, prompting victims to authenticate and approve access requests on genuine Microsoft login pages. Unlike traditional phishing that captures user credentials, this technique leverages OAuth tokens, which grant direct access to user accounts without needing passwords. The use of encrypted HTTPS traffic and legitimate Microsoft authentication flows makes detection by conventional phishing filters and SSL inspection tools difficult. Victims unknowingly authorize malicious applications, granting attackers OAuth access tokens and refresh tokens, enabling persistent and stealthy access to Microsoft 365 services such as email, files, and collaboration tools. This token-based compromise can lead to business email compromise (BEC), data exfiltration, and lateral movement within corporate environments. The campaign has rapidly expanded, with over 180 phishing URLs detected in a single week, indicating active exploitation. Indicators of compromise include domains like aiinnovationsfly.com and astrolinktech.com. The attack aligns with MITRE ATT&CK technique T1566 (Phishing) but innovates by exploiting OAuth flows rather than traditional credential theft. No CVEs are associated, and no known exploits in the wild have been reported beyond this campaign. The threat underscores the need for enhanced OAuth monitoring and user education about device code authorization prompts.

This threat enables attackers to bypass traditional credential-based defenses and gain direct access to Microsoft 365 accounts via OAuth tokens. The immediate impact includes unauthorized access to corporate emails, files, and collaboration platforms, facilitating business email compromise, data theft, and potential ransomware deployment. Persistent access through refresh tokens allows attackers to maintain long-term footholds without repeated user interaction. The stealthy nature of the attack, leveraging legitimate Microsoft authentication flows and encrypted traffic, complicates detection and response efforts. Organizations relying heavily on Microsoft 365 for communication and data storage face significant risks of operational disruption, reputational damage, and financial loss. The campaign's rapid growth suggests widespread targeting, increasing the likelihood of successful compromises globally. Additionally, compromised accounts can be used to launch further attacks internally or against partners, amplifying the threat's reach.

1. Implement Conditional Access policies in Microsoft 365 to restrict OAuth app consent and device code authorizations, especially for high-risk users and sensitive accounts. 2. Enforce multi-factor authentication (MFA) with app-based or hardware tokens that require explicit user interaction beyond OAuth consent screens. 3. Monitor OAuth consent logs and device authorization events for unusual patterns, such as unexpected app approvals or device codes initiated from unknown IP addresses or geographies. 4. Educate users to recognize legitimate OAuth device code prompts and to verify the legitimacy of authorization requests before approval. 5. Employ advanced threat protection solutions that analyze OAuth token usage and detect anomalous access behaviors. 6. Block or monitor known malicious domains (e.g., aiinnovationsfly.com, astrolinktech.com) at the network perimeter and in email filtering systems. 7. Regularly review and revoke OAuth app permissions that are unnecessary or suspicious. 8. Integrate OAuth token revocation procedures into incident response plans to quickly invalidate compromised tokens. 9. Use endpoint detection and response (EDR) tools to identify lateral movement or data exfiltration following token misuse. 10. Collaborate with Microsoft security teams and leverage their security tools and alerts related to OAuth abuse.