top of page
perceptive_background_267k.jpg

Microsoft 365 accounts targeted in wave of OAuth phishing attacks

Published:

19 December 2025 at 17:19:04

Alert date:

19 December 2025 at 18:02:17

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Cloud & Virtualization, Identity & Access, Enterprise Applications, Email & Messaging

Multiple threat actors are actively compromising Microsoft 365 accounts through sophisticated phishing attacks that abuse the OAuth device code authorization mechanism. These attacks target organizations by tricking users into authorizing malicious applications through legitimate OAuth flows. The campaign represents a significant threat to enterprise security as it bypasses traditional authentication protections. The attacks leverage the trust users place in OAuth authorization screens to gain persistent access to corporate accounts and data.

Technical details

Multiple threat actors are compromising Microsoft 365 accounts using OAuth device code authorization mechanism. Attackers trick victims into entering a device code on Microsoft's legitimate device login page, unknowingly authorizing an attacker-controlled application and granting access without stealing credentials or bypassing MFA. The attack uses phishing kits including SquarePhish v1/v2 (publicly available red teaming tool targeting OAuth device grant authorization flows via QR codes) and Graphish (malicious phishing kit supporting OAuth abuse, Azure App Registrations, and adversary-in-the-middle attacks). Attack chains involve presenting device codes as one-time passwords or token re-authorization notifications.

Mitigation steps:

Use Microsoft Entra Conditional Access where possible and consider introducing a policy on sign-in origin

Affected products:

Microsoft 365
Microsoft OneDrive
LinkedIn
DocuSign

Related links:

https://www.bleepingcomputer.com/news/security/new-consentfix-attack-hijacks-microsoft-accounts-via-azure-cli/
https://www.bleepingcomputer.com/news/security/sneaky2fa-phaas-kit-now-uses-redteamers-browser-in-the-browser-attack/
https://www.bleepingcomputer.com/news/security/quantum-route-redirect-phaas-targets-microsoft-365-users-worldwide/
https://www.bleepingcomputer.com/news/security/oauth-device-code-phishing-azure-vs-google-compared/
https://www.bleepingcomputer.com/news/security/new-cophish-attack-steals-oauth-tokens-via-copilot-studio-agents/

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page