MFA Bypass via Phishing and Authentication Abuse (OAuth Device Code, Vishing Kits, and OTP Bombing)
Threat researchers reported multiple MFA-bypass techniques being operationalized against enterprise users, with a notable focus on Microsoft 365 and common authentication workflows. KnowBe4 Threat Labs described an active phishing campaign targeting North American organizations that abuses the OAuth 2.0 Device Authorization Grant (microsoft.com/devicelogin) to trick users into entering an attacker-supplied device code on a legitimate Microsoft page; after the user completes MFA, the attacker obtains valid OAuth access/refresh tokens, enabling persistent access to M365 services (e.g., Outlook, Teams, OneDrive/SharePoint) without stealing passwords. Recommended mitigations included auditing newly consented OAuth apps, hunting for related email lure patterns, and considering disabling the device code flow via Conditional Access.
Separately, Okta warned of emerging voice-phishing (vishing) kits that provide real-time, client-side “session orchestration,” allowing attackers to dynamically change phishing pages while on a phone call to coax victims into approving push prompts or providing OTPs; captured credentials are commonly exfiltrated to attacker-controlled channels (e.g., Telegram) and then replayed against legitimate sign-in flows. Cyble also documented the continued evolution of SMS/OTP (and voice) bombing ecosystems, highlighting automated, API-driven abuse of authentication endpoints across multiple sectors and regions, with tooling maturing into cross-platform applications and adding evasion features—activity that can facilitate social engineering and account takeover by overwhelming users with authentication messages or calls.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
KnowBe4 publishes technical details and mitigations for M365 phishing campaign
KnowBe4 publicly detailed the ongoing Microsoft 365 device-code phishing campaign, including lures, indicators of compromise, and defensive guidance such as revoking suspicious OAuth consents, monitoring device-code sign-ins, blocking malicious domains, and considering disabling device code flow. The report emphasized that the campaign bypasses MFA because token theft occurs after successful authentication.
Okta warns of phishing kits enabling real-time vishing MFA bypass
Okta researchers described phishing kits that let attackers control a victim's browser session in real time during phone-based social engineering, helping them capture credentials and guide victims through MFA prompts. The kits dynamically adapt phishing pages to the victim's authentication flow and forward stolen credentials to attackers, including via Telegram.
Cyble discloses widespread abuse of poorly protected OTP APIs
Cyble said it catalogued about 843 authentication and OTP API endpoints from legitimate organizations that allegedly lacked sufficient rate limiting or CAPTCHA protections, enabling high-volume automated abuse. The observed targeting was concentrated in Iran and India and spanned sectors including telecom, finance, e-commerce, ride-hailing, and government services.
SMS/OTP bombing ecosystem remains under active development into early 2026
Cyble Research and Intelligence Labs reported that SMS, OTP, and voice bombing tooling continued evolving through late 2025 and into early 2026 from simple scripts into more professionalized tools. The researchers observed actively maintained repositories, desktop apps, Telegram bot interfaces, and high-performance implementations with evasion features such as proxy rotation and SSL/TLS verification bypass.
M365 device-code phishing campaign first observed
KnowBe4 Threat Labs said a phishing campaign abusing Microsoft 365's OAuth 2.0 Device Authorization Grant flow was first observed in December 2025. The activity targeted North American businesses, especially in the United States, to steal OAuth access and refresh tokens after victims completed legitimate login and MFA steps.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Uncovering the Sophisticated Phishing Campaign Bypassing M365 MFA
blog.knowbe4.com
Open sourceVoice Phishing Kits Give Threat Actors Real-Time Control Over Attacks
blog.knowbe4.com
Open sourceSMS & OTP Bombing
cyble.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Attacks Exploiting OAuth Device Code Authorization for Microsoft 365 Account Takeover
Threat actors are increasingly leveraging OAuth 2.0 device code authorization flows to compromise Microsoft 365 accounts through sophisticated phishing campaigns. Proofpoint researchers have observed both state-aligned and financially motivated groups using social engineering tactics to trick users into granting access to malicious applications, resulting in account takeovers, data exfiltration, and broader SaaS supply chain abuse. Attackers initiate these campaigns with phishing messages containing URLs or QR codes that, when followed, prompt users to authorize access for rogue applications, ultimately handing over OAuth tokens to the adversaries. Industry analysis highlights that identity-first intrusions, including device code flow phishing and illicit OAuth consent, have driven significant data breaches and business email compromise incidents in 2025. Notable cases include the exploitation of connected apps to exfiltrate data from Salesforce tenants and major financial impacts on organizations such as Marks & Spencer. Security experts recommend enforcing phishing-resistant MFA, governing OAuth consent, and deprecating device code flows where feasible to mitigate these risks. Regulatory changes are also pushing organizations to strengthen identity and SaaS governance in response to these evolving threats.
May 15, 2026
OAuth Device Code and Malicious App Abuse to Gain Persistent Access in Microsoft Entra ID/Microsoft 365
Threat actors are increasingly abusing **OAuth** in *Microsoft Entra ID* and *Microsoft 365* to obtain **access/refresh tokens** that provide durable access even when passwords are reset and MFA is enabled. Reported activity includes both (1) **malicious OAuth app** registrations and deceptive consent prompts that masquerade as legitimate “business integrations,” and (2) abuse of the **OAuth 2.0 Device Authorization Grant** (device code flow) where victims authenticate on Microsoft’s legitimate device login portal, making the intrusion harder to detect with credential-focused controls. Multiple reports describe campaigns targeting business users and organizations (including technology, manufacturing, and financial sectors) to access resources such as **Outlook, Teams, and OneDrive** and to enable mailbox actions and data access under seemingly legitimate application activity. Research and incident reporting highlight that attackers can persist via **service principals** created in victim tenants after consent is granted, and that some integrations may remain effective even if the consenting user is later disabled; separate reporting also describes **device-code vishing/phishing** that leverages legitimate Microsoft OAuth client IDs and standard login workflows to capture tokens without attacker-hosted phishing pages, with one source attributing the vishing activity to **ShinyHunters** (unconfirmed by Microsoft at the time of reporting).
Mar 21, 2026
Okta Warns of Real-Time Vishing Phishing Kits Targeting SSO and MFA
Okta reported that threat actors are using and selling custom **voice-phishing (vishing) kits** that enable helpdesk-style social engineering to steal credentials and bypass MFA for **Okta SSO** and other identity providers, including **Google** and **Microsoft**. The kits are offered “as a service” on dark web forums and messaging platforms and are designed to closely mimic legitimate identity-provider authentication flows, making the victim experience appear authentic during a live phone call. Unlike static phishing pages, the kits function as **adversary-in-the-middle** platforms that let attackers monitor a victim’s session in real time and dynamically change what the victim sees (e.g., dialogs prompting for credentials or MFA approval) as the call progresses. Okta said operators typically conduct reconnaissance on targeted employees (names, applications used, and IT/helpdesk phone numbers), then call victims—often with spoofed corporate/helpdesk numbers—while guiding them through a tailored phishing page; captured credentials and MFA responses are relayed to the attacker to complete login and enable downstream **data theft and extortion** activity, echoing prior “IT support call” tradecraft associated with **Scattered Spider-like** intrusions.
May 15, 2026