Hackers Exploit Microsoft OAuth Feature in Large-Scale Credential Theft Campaigns
Since late 2024, cybercriminals have increasingly abused Microsoft’s OAuth device authorization flow a legitimate authentication feature to steal Microsoft 365 account credentials at scale. This technique, known as device code phishing, has surged in popularity among threat actors, replacing traditional credential-harvesting methods due to its effectiveness and stealth.
How the Attack Works
The attack exploits the OAuth 2.0 device authorization flow, originally designed for devices with limited input capabilities (e.g., smart TVs or gaming consoles). Hackers generate device codes via Microsoft’s APIs and distribute them through phishing emails containing PDFs, URLs, or QR codes. When victims enter the code on Microsoft’s official device login page, they unknowingly grant attackers full access to their accounts without triggering suspicious login prompts.
Once authenticated, threat actors obtain persistent access tokens, allowing them to maintain control even if the victim changes their password. The entire process occurs on legitimate Microsoft domains, making detection difficult for traditional security tools.
Widespread Adoption by Threat Actors
Proofpoint researchers first identified the surge in early 2025, documenting hundreds of campaigns targeting organizations across industries. Multiple threat groups, including TA4903, EvilProxy operators, Storm-365, and those using the Kali 365 toolkit, have integrated device code phishing into their operations.
- TA4903 targeted small businesses and government entities, impersonating services like Microsoft, DocuSign, and Norton.
- The Tycoon 2FA phishing kit added device code capabilities, while Russian-linked cybercriminal infrastructure has also adopted the technique.
- The proliferation accelerated after proof-of-concept tools like ClickFix lowered the barrier to entry, enabling even low-skilled attackers to deploy the method.
Global Impact and Detection Challenges
Device code phishing campaigns have been observed worldwide, with phishing pages localized in multiple languages, including Spanish and German. The attack’s seamless integration with Microsoft’s infrastructure means no red flags appear during authentication, making it particularly deceptive.
Security teams have struggled to counter the threat, as traditional phishing awareness training does not cover this vector. Proofpoint recommends blocking device code flows via conditional access policies and requiring managed devices for authentication to mitigate risks.
Indicators of Compromise (IoCs)
Researchers have identified numerous malicious domains associated with these campaigns, including:
- EvilTokens-linked domains (e.g.,
onedrive-9tudh[.]thebootieselmny-thi-om-s-oundh[.]workers[.]dev) - B-OX-linked domains (e.g.,
stelwsystems[.]com,marketkarr-lengnefl[.]com)
(Note: Domains are defanged to prevent accidental resolution.)
Source: https://cybersecuritynews.com/hackers-abuse-oauth-device-authorization-flow/
Norton cybersecurity rating report: https://www.rankiteo.com/company/norton
"id": "NOR1778862436",
"linkid": "norton",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': ['Small businesses',
'Government entities',
'Various (global)'],
'location': 'Global',
'name': 'Microsoft 365 users',
'type': 'Organizations and individuals'}],
'attack_vector': 'Phishing (Device Code Phishing via OAuth 2.0 Device '
'Authorization Flow)',
'data_breach': {'personally_identifiable_information': 'Potential (if '
'accounts contained '
'PII)',
'sensitivity_of_data': 'High (account access, potential PII)',
'type_of_data_compromised': 'Credentials, access tokens'},
'date_detected': '2025-01',
'description': 'Since late 2024, cybercriminals have increasingly abused '
'Microsoft’s OAuth device authorization flow—a legitimate '
'authentication feature—to steal Microsoft 365 account '
'credentials at scale. This technique, known as *device code '
'phishing*, has surged in popularity among threat actors, '
'replacing traditional credential-harvesting methods due to '
'its effectiveness and stealth. The attack exploits the OAuth '
'2.0 device authorization flow, allowing hackers to generate '
'device codes via Microsoft’s APIs and distribute them through '
'phishing emails containing PDFs, URLs, or QR codes. Victims '
'unknowingly grant attackers full access to their accounts '
'without triggering suspicious login prompts, enabling '
'persistent access even after password changes.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust in '
'Microsoft 365 security',
'data_compromised': 'Microsoft 365 account credentials, persistent '
'access tokens',
'identity_theft_risk': 'High (account takeover, PII exposure)',
'operational_impact': 'Unauthorized access to corporate accounts, '
'potential data breaches',
'systems_affected': 'Microsoft 365 accounts, authentication '
'systems'},
'initial_access_broker': {'backdoors_established': 'Persistent access tokens',
'entry_point': 'Phishing emails (PDFs, URLs, QR '
'codes)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Traditional phishing awareness training is insufficient '
'for OAuth-based attacks. Security teams must proactively '
'block device code flows and enforce managed device '
'requirements for authentication.',
'motivation': 'Financial gain, data exfiltration, persistent account access',
'post_incident_analysis': {'corrective_actions': 'Implement conditional '
'access policies to block '
'device code flows, enforce '
'managed device '
'requirements, enhance '
'monitoring for OAuth token '
'abuse',
'root_causes': 'Exploitation of legitimate '
'Microsoft OAuth 2.0 device '
'authorization flow, lack of '
'awareness about device code '
'phishing, insufficient conditional '
'access policies'},
'recommendations': ['Block device code flows via conditional access policies',
'Require managed devices for authentication',
'Monitor for unusual OAuth token generation',
'Educate users on OAuth-based phishing risks'],
'references': [{'source': 'Proofpoint Research'}],
'response': {'containment_measures': 'Blocking device code flows via '
'conditional access policies, requiring '
'managed devices for authentication',
'third_party_assistance': 'Proofpoint researchers'},
'threat_actor': ['TA4903',
'EvilProxy operators',
'Storm-365',
'Kali 365 toolkit users',
'Tycoon 2FA phishing kit operators',
'Russian-linked cybercriminals'],
'title': 'Hackers Exploit Microsoft OAuth Feature in Large-Scale Credential '
'Theft Campaigns',
'type': 'Credential Theft',
'vulnerability_exploited': 'Microsoft OAuth 2.0 Device Authorization Flow'}