microsoft.com. But the attacker has pre-registered their device to get the code for [the victim] to verify.”David Shipley, head of Canadian security awareness training provider Beauceron Security, said OAuth device code attacks have been gaining steam since 2024. “It’s the natural evolutionary response to improvements in account security, particularly MFA”, he said. The easiest defense is to turn off the ability to add extra login devices to Office 365, unless it’s needed, he said.In addition, employees should also be continuously educated about the risks of unusual login requests, even if they come from a familiar system.”The value of teaching people about new social engineering techniques like this, and doing phishing simulations based on these kinds of attack, is it gets people used to reporting them, which will help when real attacks are happening,” he added.Cory Michal, CSO at AppOmni, said attacks often leverage OAuth tokens and service/integration identities because they are a blind spot for many organizations that have invested heavily in identity hardening and multifactor authentication.”OAuth tokens often operate as bearer credentials,” he noted. “If an attacker obtains them, they can be used as a single-factor access method to act as the integration without triggering an interactive login or MFA challenge, and the activity can blend into normal API/integration patterns. In other words, strong MFA enforcement can coexist with a persistent exposure if non-human identities and OAuth token hygiene aren’t governed and monitored with the same rigor.” He said that IT leaders need to go beyond classic third-party vendor reviews, and actually inventory and audit the integrations running in their SaaS environments, determining which apps are connected, what OAuth scopes/permissions they have, and whether they’re still needed. “Most teams have far more integrations than they realize, and many retain broad privileges long after the original business need,” he pointed out. “In parallel, we should raise the security bar for any SaaS vendor we rely on, [with] clear requirements around token security, logging, incident response, and secure integration patterns, and make sure our own tenant configurations and monitoring are hardened so integration activity is least-privilege, observable, and quickly containable when something upstream is compromised,” Michal added.Grimes said that users can be educated to check how many devices are authorized to access their Microsoft, Google, and other login accounts. They should also be continually warned to be suspicious of email links that go to a login page.In a blog about device code phishing, he noted that Microsoft Entra administrators can disable “device code flow” in their conditional access policies. This disables all users of device codes for Entra, not just malicious users. This means users will have to log in and provide more information than just a device code, but it will better protect an IT environment from this type of phishing attack.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4134874/new-phishing-campaign-tricks-employees-into-bypassing-microsoft-365-mfa.html
