Dec 19
/
Latest News
HPE Patches Critical OneView Flaw Allowing Remote Code Execution
Threat actors are increasingly targeting Microsoft 365 users with a phishing technique that abuses device code authorization to gain full account access, according to new research from Proofpoint. The method tricks users into entering attacker‑supplied device codes on Microsoft’s legitimate device login page, unintentionally approving OAuth access tokens for the attacker.
The campaigns—run by both state‑aligned and financially motivated groups—typically begin with emails sent from compromised or attacker‑controlled accounts. Lures range from salary‑related notifications to benign conversation starters, sometimes delivered through hijacked government or university email addresses. Victims are directed to click a link or scan a QR code, then enter a one‑time passcode on Microsoft’s device login site, believing it to be a routine authentication step.
Proofpoint notes that many users are unaware that entering these codes grants attackers control of their Microsoft 365 accounts. The firm reports a surge in the use of red‑team tools such as Squarephish, SquarephishV2, and the freely available Graphish phishing kit, which leverage Azure App Registrations and adversary‑in‑the‑middle infrastructure to create convincing, branded phishing pages.
Attackers need only register a domain, obtain an SSL certificate, and create a malicious Azure application to launch large‑scale OAuth‑based phishing campaigns. The tools include guidance for bypassing enterprise restrictions, lowering the technical barrier for less‑skilled actors.
To defend against these attacks, Proofpoint recommends organizations block device code flow through Conditional Access policies or restrict it to approved users, devices, or IP ranges. Additional protections can be enforced through device registration or Intune, ensuring sign‑ins originate only from compliant devices.
Proofpoint expects abuse of OAuth authentication flows to accelerate as more organizations adopt FIDO‑based MFA.
The campaigns—run by both state‑aligned and financially motivated groups—typically begin with emails sent from compromised or attacker‑controlled accounts. Lures range from salary‑related notifications to benign conversation starters, sometimes delivered through hijacked government or university email addresses. Victims are directed to click a link or scan a QR code, then enter a one‑time passcode on Microsoft’s device login site, believing it to be a routine authentication step.
Proofpoint notes that many users are unaware that entering these codes grants attackers control of their Microsoft 365 accounts. The firm reports a surge in the use of red‑team tools such as Squarephish, SquarephishV2, and the freely available Graphish phishing kit, which leverage Azure App Registrations and adversary‑in‑the‑middle infrastructure to create convincing, branded phishing pages.
Attackers need only register a domain, obtain an SSL certificate, and create a malicious Azure application to launch large‑scale OAuth‑based phishing campaigns. The tools include guidance for bypassing enterprise restrictions, lowering the technical barrier for less‑skilled actors.
To defend against these attacks, Proofpoint recommends organizations block device code flow through Conditional Access policies or restrict it to approved users, devices, or IP ranges. Additional protections can be enforced through device registration or Intune, ensuring sign‑ins originate only from compliant devices.
Proofpoint expects abuse of OAuth authentication flows to accelerate as more organizations adopt FIDO‑based MFA.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2025 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.