A recent wave of phishing attacks is bypassing traditional security protections on Microsoft 365, even when multi‑factor authentication (MFA) is enabled. Instead of stealing passwords directly, attackers are abusing legitimate Microsoft login flows to trick users into granting access to their own accounts, effectively sidestepping the security codes that many organizations rely on for protection. These campaigns have already compromised hundreds of organizations, highlighting how modern phishing has evolved beyond simple fake login pages into sophisticated, session‑based attacks.
The core technique leverages Microsoft’s OAuth 2.0 device authorization flow, a feature designed for devices like printers and TVs that cannot display a full browser. Users receive a phishing email or SMS that looks like a legitimate Microsoft prompt, often claiming that a “secure authorization code” must be entered on a Microsoft login page. When the victim goes to the real Microsoft domain and inputs the code, they quietly grant an attacker‑controlled application long‑lived OAuth tokens that provide full access to their Microsoft 365 mailbox, OneDrive, and Teams.
Because the login happens on an actual Microsoft site, common phishing filters and user instincts often fail to detect anything unusual. The attacker never needs to capture a password or intercept an SMS code; they simply harvest the access and refresh tokens issued by Microsoft after the user completes MFA. This means that even changing passwords or waiting for a code to expire does not immediately cut off the attacker, since the stolen tokens can persist for extended periods unless explicitly revoked.
From there, threat actors typically move laterally inside the environment, reading sensitive emails, staging more phishing messages to contacts and colleagues, and sometimes preparing for business email compromise or invoice fraud. In some cases, compromised accounts are used to send follow‑up phishing emails that appear to come from within the organization, making them harder to flag and more likely to succeed. This “inside‑out” style of attack undermines trust in internal communications and can significantly slow down detection and response.
To counter these threats, organizations must go beyond standard MFA and focus on identity‑centric protections, including conditional access policies, risky‑sign‑in monitoring, and regular review of granted OAuth applications. Users should be trained to treat any unexpected authorization or device‑code request as suspicious, especially if they did not initiate a login, and to report such messages immediately. Combining strong technical controls with continuous security awareness remains the most effective way to reduce the risk of these advanced phishing campaigns on Microsoft 365.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: