Microsoft 365 accounts have become a prime target for cybercriminals due to the value of the information they contain and common security flaws such as weak passwords or the lack of multi-factor authentication.
In this regard, the cybersecurity company Proofpoint warned of a continued increase in attacks that make it possible to take control of these accounts through abuse without the user noticing the intrusion a legitimate Microsoft mechanism called OAuth.
According to the research, attackers no longer rely solely on direct password theft. Instead, they exploit trusted authentication flows that allow them to quietly and effectively access corporate and personal Microsoft 365 accounts.
The attack begins with a seemingly legitimate phishing message. It can arrive via email and contain a button with an embedded URLa hyperlink text or even a QR code. In all cases, the goal is to take the victim to a page controlled by the attacker.
There the user receives a device code either on the page itself or via email. This code is displayed as part of a verification or security processalthough it actually works as a one-time password. The deception is complete when the user is tricked into entering this code into a legitimate Microsoft URL, believing it will protect their account.
By entering the credentials, the user unknowingly grants access permissions to their Microsoft 365 account. From there, the attacker can read emails, access documents, steal sensitive information, and move laterally within an organization’s network without needing to know the original password.
This is what researchers from Proofpoint warn This technique marks an important development in modern phishing. “Attacks move from direct password theft to abuse of trusted authentication flows,” they explained.
So-called device code phishing exploits the trust that users place in official login systems. When interacting with real Microsoft domains, many people have no idea that they are falling victim to a scam.
The cybersecurity company points out that the growth of This threat is driven by tools that automate and simplify these types of attacks. These include kits like SquarePhish2 and Graphicish, as well as malicious applications sold on hacking forums.
These tools reduce technical hurdles for attackers and enable even actors with limited knowledge to launch large-scale phishing campaigns. The result is an increase in the number of compromised accounts and greater potential impact on businesses and users.
Once an attacker gains access to a Microsoft 365 account, the consequences can be serious. In addition to stealing personal or company information Cybercriminals can use the compromised account to send new phishing emailsaccess networked services or commit financial fraud.
In enterprise environments, these types of attacks facilitate lateral movement within the network, which can lead to broader security breaches, loss of sensitive data, and reputational damage.
Given this scenario, Proofpoint recommends first: If possible, block the flow of device codes. If deactivation is not possible, it is recommended to use an allowlist-based approach and limit the use of this method to specific and justified cases.
It’s also important to limit logins to devices that have been previously enrolled or meet defined security policies. Added to this is ongoing user training so that they can recognize less conventional phishing attempts, such as those that use QR codes or apparent verification processes.
Finally, experts recommend strengthening controls over OAuth and promoting the adoption of phishing-resistant multi-factor authentication mechanisms, such as those based on the FIDO standard.
About The Author
