Warning issued as surge in OAuth device code phishing leads to M365 account takeovers

Cybersecurity researchers at Proofpoint have issued a warning over a surge in Microsoft 365 account takeovers through abuse of OAuth device code authorization.

This legitimate Microsoft login process is now being weaponized by both cyber criminal and state-aligned actors, who are tricking users into entering a device code on Microsoft’s real login page - instantly granting unauthorized access.

Proofpoint said the trend signals a major evolution in phishing, shifting attacks away from passwords and towards abusing trusted authentication flows.

Attacks start with an initial message containing a URL embedded behind a button, as hyperlinked text, or within a QR code. Once visited, it initiates an attack sequence leveraging the legitimate Microsoft device authorization process.

The user is presented with a device code with the claim that it's a one-time password (OTP). The user is directed to input the code at Microsoft’s verification URL - and once this is done, the original token is validated, giving the threat actor access to the targeted Microsoft 365 account.

"While this is not necessarily a novel technique, it is notable to see it used increasingly by multiple threat clusters including a tracked cybercriminal threat actor, TA2723," the researchers said.

"Proofpoint threat researchers have identified a malicious application for sale on hacking forums, which could be used for this type of campaign."

Meanwhile, some red team tools, such as Squarephish and SquarephishV2, can be used for this type of attack, helping to mitigate the short-lived nature of device codes and enabling larger campaigns than were previously possible.

In one example, researchers identified a campaign that used a shared document reminder alert to trick users into clicking a Google Share URL hyperlinked as text, to access a fictitious document called “Salary Bonus + Employer Benefit Reports 25”.

The URL leads to an attacker-controlled website with a domain localized according to browsing IP, and showing the targeted company branding.

Thereafter, the website prompts the user to input their email address and go through an authentication process that includes a code that, when input into the Microsoft-provided OAuth page, gives the threat actor access to the user’s Microsoft 365 account.

Proofpoint ascribes this activity to TA2723, a financially-motivated, high-volume credential phishing threat actor notable for its campaigns spoofing Microsoft OneDrive, LinkedIn, and DocuSign. It's seen the group conducting OAuth device code phishing since October.

But the technique is in use by other state-aligned actors, too, including UNK_AcademicFlare.

Since September, the Russia-linked group has been using compromised email addresses belonging to multiple government and military organizations to target bodies within government, think tanks, and the higher education and transportation sectors in the US and Europe.

Earlier this year, Volexity said it had identified several campaigns using the same techniques and carried out by Russian actors.

The company said it believed that at least one was CozyLarch - overlapping with DarkHalo, APT29, Midnight Blizzard, and CozyDuke. It said it was tracking the remaining activity under UTA0304 and UTA0307.

Proofpoint expects the abuse of OAuth authentication flows to continue to grow, with the adoption of FIDO compliant MFA controls. Organizations should strengthen their OAuth controls and educate users about these evolving threats.

"From the use of malicious OAuth applications for persistent access to the abuse of legitimate Microsoft authentication flows with device codes, "threat actors’ tactics to achieve account takeover are evolving with quick adoption across the threat landscape," the researchers said.

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.