Hackers Abuse Microsoft OAuth Device Code Flow to Take Over Microsoft 365 Accounts

Severity
Medium

Detail

Researchers have identified an active phishing campaign that abuses Microsoft’s legitimate OAuth 2.0 Device Authorization Grant (device code) flow to compromise Microsoft 365 accounts. Unlike traditional phishing attacks that attempt to steal usernames and passwords through fake login pages, this technique tricks users into completing a genuine Microsoft authentication process that authorizes an attacker-controlled device.

The attack begins with phishing emails disguised as vendor estimate approvals. These messages use a two-part attachment technique consisting of an HTML file and an embedded image designed to appear as a legitimate document. When recipients click the image, they are redirected to a ClickFix-style phishing page that generates a verification code and instructs the user to sign in using Microsoft.

Victims are then directed to Microsoft’s legitimate device login portal, where they are prompted to enter the provided device code and authenticate using their Microsoft account. Because the authentication interface is genuine, the process appears trustworthy and significantly increases the likelihood of user interaction.

The attack exploits Microsoft’s device code authentication mechanism, which is intended for devices that cannot easily perform standard web-based authentication, such as smart TVs, IoT devices, and command-line applications. In this campaign, the phishing infrastructure continuously communicates with the attacker’s backend while displaying a device code to the victim. Once the victim enters the code and completes authentication, an OAuth access token associated with the victim’s Microsoft 365 account is issued to the attacker-controlled device, enabling unauthorized access without requiring password theft.

Researchers observed several defense-evasion techniques within the phishing kit. These include the insertion of invisible Unicode characters into commonly flagged terms such as “Microsoft,” “account,” and “verify” to evade content-based detection mechanisms. Additional obfuscation techniques were also identified within the device code communication process to hinder analysis and detection.

The campaign generates a distinct network traffic pattern that includes visits to Microsoft’s authentication infrastructure followed by recurring communications between the phishing site and attacker-controlled servers. Security researchers noted that concurrent Microsoft authentication activity and periodic outbound communications from affected endpoints may indicate compromise.

Successful exploitation can result in unauthorized access to Microsoft 365 resources, including email, cloud storage, and other connected services. Because the attack abuses a legitimate authentication workflow and does not require credential theft, it can be more difficult for users and security controls to identify malicious activity.

Recommendation

Organizations and users are advised to take the following precautions to reduce exposure to this threat:

1. Treat unsolicited device-code authentication requests and unexpected Microsoft sign-in prompts as suspicious, particularly when received through email attachments or links.
2. Verify the legitimacy of requests before entering device codes into Microsoft’s device login portal.
3. Monitor for unusual OAuth application approvals and unexpected account activity that may indicate unauthorized access.
4. Review authentication logs for abnormal device code authentication events and investigate suspicious sign-in activity promptly.
5. Implement appropriate access controls and authentication policies to restrict unnecessary device code authentication where operationally feasible.

Source

https://gbhackers.com/microsoft-oauth-device-code-abused/