OAuth Device Code and Malicious App Abuse to Gain Persistent Access in Microsoft Entra ID/Microsoft 365
Threat actors are increasingly abusing OAuth in Microsoft Entra ID and Microsoft 365 to obtain access/refresh tokens that provide durable access even when passwords are reset and MFA is enabled. Reported activity includes both (1) malicious OAuth app registrations and deceptive consent prompts that masquerade as legitimate “business integrations,” and (2) abuse of the OAuth 2.0 Device Authorization Grant (device code flow) where victims authenticate on Microsoft’s legitimate device login portal, making the intrusion harder to detect with credential-focused controls.
Multiple reports describe campaigns targeting business users and organizations (including technology, manufacturing, and financial sectors) to access resources such as Outlook, Teams, and OneDrive and to enable mailbox actions and data access under seemingly legitimate application activity. Research and incident reporting highlight that attackers can persist via service principals created in victim tenants after consent is granted, and that some integrations may remain effective even if the consenting user is later disabled; separate reporting also describes device-code vishing/phishing that leverages legitimate Microsoft OAuth client IDs and standard login workflows to capture tokens without attacker-hosted phishing pages, with one source attributing the vishing activity to ShinyHunters (unconfirmed by Microsoft at the time of reporting).
Related Entities
Threat Actors
Affected Products
Sources
Related Stories
Phishing Attacks Exploiting OAuth Device Code Authorization for Microsoft 365 Account Takeover
Threat actors are increasingly leveraging OAuth 2.0 device code authorization flows to compromise Microsoft 365 accounts through sophisticated phishing campaigns. Proofpoint researchers have observed both state-aligned and financially motivated groups using social engineering tactics to trick users into granting access to malicious applications, resulting in account takeovers, data exfiltration, and broader SaaS supply chain abuse. Attackers initiate these campaigns with phishing messages containing URLs or QR codes that, when followed, prompt users to authorize access for rogue applications, ultimately handing over OAuth tokens to the adversaries. Industry analysis highlights that identity-first intrusions, including device code flow phishing and illicit OAuth consent, have driven significant data breaches and business email compromise incidents in 2025. Notable cases include the exploitation of connected apps to exfiltrate data from Salesforce tenants and major financial impacts on organizations such as Marks & Spencer. Security experts recommend enforcing phishing-resistant MFA, governing OAuth consent, and deprecating device code flows where feasible to mitigate these risks. Regulatory changes are also pushing organizations to strengthen identity and SaaS governance in response to these evolving threats.
2 months ago
Microsoft Reports OAuth Redirect Abuse Used to Deliver Malware to Government Targets
Microsoft reported phishing campaigns targeting **government and public-sector organizations** that abuse legitimate **OAuth redirect** behavior in identity providers (including **Microsoft Entra ID** and **Google Workspace**) to send victims from seemingly benign authorization URLs to attacker-controlled infrastructure. The technique does not rely on exploiting a software vulnerability or stealing OAuth tokens; instead, attackers register a **malicious OAuth application** in a tenant they control, then send victims an OAuth link that triggers an error flow (e.g., via an intentionally invalid scope) to force a redirect to a rogue domain hosting malware. Microsoft said the delivered payloads have included **ZIP archives** that lead to execution chains involving **LNK-based execution**, **PowerShell**, and **DLL side-loading**, consistent with follow-on hands-on-keyboard or pre-ransomware activity. Microsoft stated it disabled the identified malicious OAuth applications in Entra ID, but warned that **related OAuth abuse activity persists** and requires continued monitoring. Reported lures used in the phishing emails included e-signature requests, access to *Teams* meeting recordings, Microsoft 365 password reset instructions, and political themes; Microsoft also observed indicators consistent with the use of free mass-mailing tools and custom tooling (including **Python** and **Node.js**) to distribute the campaigns and deliver malware capable of endpoint takeover.
1 weeks ago
MFA Bypass via Phishing and Authentication Abuse (OAuth Device Code, Vishing Kits, and OTP Bombing)
Threat researchers reported multiple **MFA-bypass** techniques being operationalized against enterprise users, with a notable focus on Microsoft 365 and common authentication workflows. KnowBe4 Threat Labs described an active phishing campaign targeting North American organizations that abuses the **OAuth 2.0 Device Authorization Grant** (`microsoft.com/devicelogin`) to trick users into entering an attacker-supplied device code on a legitimate Microsoft page; after the user completes MFA, the attacker obtains valid **OAuth access/refresh tokens**, enabling persistent access to M365 services (e.g., Outlook, Teams, OneDrive/SharePoint) without stealing passwords. Recommended mitigations included auditing newly consented OAuth apps, hunting for related email lure patterns, and considering disabling the device code flow via Conditional Access. Separately, Okta warned of emerging **voice-phishing (vishing) kits** that provide real-time, client-side “session orchestration,” allowing attackers to dynamically change phishing pages while on a phone call to coax victims into approving push prompts or providing OTPs; captured credentials are commonly exfiltrated to attacker-controlled channels (e.g., Telegram) and then replayed against legitimate sign-in flows. Cyble also documented the continued evolution of **SMS/OTP (and voice) bombing** ecosystems, highlighting automated, API-driven abuse of authentication endpoints across multiple sectors and regions, with tooling maturing into cross-platform applications and adding evasion features—activity that can facilitate social engineering and account takeover by overwhelming users with authentication messages or calls.
1 months ago