By rssfeeds-admin .webp?ssl=1 "Ongoing Campaign Targets Microsoft 365 to Steal OAuth Tokens and Gain Persistent Access")
Instead of attacking login pages with fake forms, the operators trick victims into completing a real sign‑in process on Microsoft’s own device login portal, which makes the attack harder for both users and basic security tools to spot.
Once successful, the attackers can quietly read, send, and manage emails and files, posing a serious risk to internal communication and sensitive documents.
KnowBe4 Threat Labs researchers identified this campaign in late 2025, tracking how the attackers combined realistic phishing emails with the OAuth 2.0 Device Authorization Grant flow to bypass even strong passwords and Multi‑Factor Authentication.
Their analysis shows that the threat actors rely heavily on convincing social engineering, using themes such as payment confirmations, bonus-related documents, and voicemail alerts to lure busy professionals into taking quick action.
Because the victim completes the login on a legitimate Microsoft page, many people believe the process is safe, even though they are ultimately granting access to a rogue application controlled by the attackers.
Attack flow
Once the user enters the attacker‑supplied device code on the Microsoft device login page, the Microsoft identity platform issues valid OAuth access and refresh tokens tied to the victim’s account, which the attacker then captures in real time.
These tokens let the intruders maintain persistent access, often without raising obvious red flags in traditional credential‑focused monitoring.
Affected organizations may see unauthorized mailbox actions, file access, and potential data exfiltration, all performed under what appears to be a legitimate user context.
This attack flow illustrates the complete attack chain, from the initial phishing lure through device code abuse to token theft and long‑term account access.
The heart of this campaign is its misuse of the OAuth Device Authorization Grant flow, which is designed for devices with limited input options but is repurposed here to sidestep normal defenses.
First, the attacker registers an OAuth application in Microsoft 365 and generates a unique device code mapped to that app.
This code is then embedded in tailored phishing emails that direct victims to an attacker‑controlled landing page, where the user is prompted to enter their email and follow “secure authentication” steps.
After the victim is instructed to visit the legitimate microsoft.com/devicelogin portal and submit the provided code, the attackers continuously poll the token endpoint and immediately hijack the issued OAuth access and refresh tokens once Microsoft approves the session.
To reduce risk, security teams are advised to block known malicious domains and cloud storage URLs linked to this campaign, hunt email logs for identified sender addresses and subject patterns, and urgently audit recently consented OAuth applications for suspicious entries.
Where business needs allow, administrators should consider disabling the device code flow entirely or tightly restricting it through Conditional Access policies, while also reviewing Azure AD sign‑in logs for unusual device code activity and geographic anomalies.
These steps, combined with ongoing user awareness around urgent payment notices, unexpected document shares, and voicemail alerts, can help organizations detect and contain similar OAuth token theft attempts before they cause deeper damage.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Ongoing Campaign Targets Microsoft 365 to Steal OAuth Tokens and Gain Persistent Access appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.