Full Report
Multiple threat actors are compromising Microsoft 365 accounts in phishing attacks that leverage the OAuth device code authorization mechanism.
Analysis Summary
# Incident Report: Wave of OAuth Device Code Phishing Attacks
## Executive Summary
Multiple threat actors, ranging from financially motivated groups (TA2723) to state-aligned actors (UNK_AcademicFlare), are conducting widespread phishing campaigns targeting Microsoft 365 accounts. These attacks abuse the OAuth device code authorization mechanism to bypass multi-factor authentication (MFA) and gain account access without direct credential theft. The campaigns have seen a significant increase in volume since September 2024, resulting in unauthorized account takeovers across government, academic, and private sectors.
## Incident Details
- **Discovery Date:** September 2024 (Significant volume increase reported)
- **Incident Date:** Ongoing since September 2024
- **Affected Organization:** Multiple (Global)
- **Sector:** Government, Academic, Think Tanks, Transportation, and Corporate
- **Geography:** Global (Specifically U.S. and Europe)
## Timeline of Events
### Initial Access
- **Date/Time:** September 2024 – Present
- **Vector:** Phishing via Email / QR Codes
- **Details:** Attackers send emails using lures such as "Salary Bonus" notifications, document-sharing links (OneDrive/DocuSign spoofs), or localized company branding. Victims are directed to enter a "device code" on a legitimate Microsoft login page.
### Lateral Movement
- **Details:** Once the OAuth token is granted, attackers utilize the authorized application to navigate the Microsoft 365 environment, accessing sensitive communications and internal documents.
### Data Exfiltration/Impact
- **Details:** Compromise of sensitive government and military communications; unauthorized access to corporate data; potential for follow-on "Business Email Compromise" (BEC) using legitimate but compromised accounts.
### Detection & Response
- **How it was discovered:** Observed by Proofpoint Threat Research through monitoring of phishing kit signatures (SquarePhish and Graphish) and unusual OAuth authorization patterns.
- **Response actions taken:** Threat intelligence sharing by security researchers; recommendation for organizations to implement Conditional Access policies.
## Attack Methodology
- **Initial Access:** Phishing emails with links to attacker-controlled sites; use of QR codes.
- **Persistence:** Abuse of OAuth tokens (which often remain valid for long periods) and attacker-controlled Azure App Registrations.
- **Privilege Escalation:** Not explicitly detailed, but involves obtaining the permissions of the targeted user via the OAuth scope.
- **Defense Evasion:** Use of legitimate Microsoft login portals (`microsoft[.]com/devicelogin`) to enter codes, bypassing traditional MFA and AiTM detections.
- **Credential Access:** OAuth Device Code Flow (no actual password needed).
- **Discovery:** UNK_AcademicFlare uses rapport-building "innocuous" interactions before delivering malicious links.
- **Lateral Movement:** Using compromised government/military accounts to phish additional targets.
- **Collection:** Accessing OneDrive files and email content via authorized API scopes.
- **Exfiltration:** Standard cloud-to-cloud or cloud-to-local data transfer.
- **Impact:** Account takeover and potential espionage or financial fraud.
## Impact Assessment
- **Financial:** High potential (associated with groups like TA2723 known for credential phishing).
- **Data Breach:** Exposure of sensitive government, military, and academic research data.
- **Operational:** Disruption of secure communications and potential for malicious internal emails.
- **Reputational:** High risk for organizations whose accounts are used to phish partners and allies.
## Indicators of Compromise
- **Network indicators:**
- `microsoft[.]com/devicelogin` (Legitimate site, but unauthorized use is a behavioral indicator)
- **File indicators:**
- SquarePhish v1/v2 kits
- Graphish phishing kit
- **Behavioral indicators:**
- Unexpected OAuth "Device Code" prompts for desktop users.
- New Azure App Registrations from unknown or suspicious publishers.
- Sign-ins from unusual locations immediately following device code entry.
## Response Actions
- **Containment:** Revoke Refresh Tokens for suspected compromised accounts; delete unauthorized Enterprise Applications/Azure App Registrations.
- **Eradication:** Identify and block sender domains associated with TA2723 and UNK_AcademicFlare.
- **Recovery:** Mandatory password resets and session terminations for all affected users.
## Lessons Learned
- **Key takeaways:** Attackers are successfully pivoting away from stealing passwords toward stealing **tokens** via legitimate workflows.
- **Shortcomings:** MFA is not a "silver bullet" when users can be socially engineered into authorizing malicious applications via legitimate Microsoft infrastructure.
## Recommendations
- **Conditional Access:** Implement Microsoft Entra Conditional Access policies to restrict sign-ins based on origin and device compliance.
- **User Training:** Specifically educate users on the "Device Code" flow—emphasizing that they should never enter a code they didn't personally trigger on their own hardware.
- **Application Governance:** Restrict the ability of non-administrative users to consent to new OAuth applications (Consent Phishing protection).
- **Monitoring:** Set up alerts for "User assigned to service principal" or "New Azure App Registration" events.