Threats Tagged 'oauth abuse'

Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.

In early April 2026, a large-scale device code phishing campaign targeted organizations across multiple sectors and regions, exploiting OAuth 2.0 Device Authorization Grant. Threat actors leveraged the Kali365 phishing-as-a-service platform, originating primarily from IP address 216.203.20[.]95. The campaign used high-fidelity lures directing victims to Microsoft's legitimate device login flow, where users unknowingly authorized threat actor-controlled sessions. Captured OAuth tokens enabled immediate mailbox access and post-compromise activities. In some cases, attackers established malicious inbox rules to suppress security notifications, extending dwell time. The Kali365 platform operates as a multi-tenant PhaaS ecosystem supporting both device code abuse and adversary-in-the-middle session capture, featuring rapid lure generation across multiple languages and file types, Cloudflare Worker-hosted pages, and token sharing capabilities between affiliates.