An ongoing phishing campaign that targets Microsoft 365 users by abusing OAuth tokens to gain long\u2011term access to corporate data, which focuses on business users in North America and aims to compromise Outlook, Teams, and OneDrive without directly stealing passwords. <\/p>\n
Instead of attacking login pages with fake forms, the operators trick victims into completing a real sign\u2011in process on Microsoft\u2019s own device login portal, which makes the attack harder for both users and basic security tools to spot. <\/p>\n
Once successful, the attackers can quietly read, send, and manage emails and files, posing a serious risk to internal communication and sensitive documents.<\/p>\n
KnowBe4 Threat Labs researchers identified this campaign<\/a> in late 2025, tracking how the attackers combined realistic phishing emails with the OAuth 2.0 Device Authorization Grant flow to bypass even strong passwords and Multi\u2011Factor Authentication. <\/p>\n Their analysis shows that the threat actors rely heavily on convincing social engineering<\/a>, using themes such as payment confirmations, bonus-related documents, and voicemail alerts to lure busy professionals into taking quick action. <\/p>\n Because the victim completes the login on a legitimate Microsoft page, many people believe the process is safe, even though they are ultimately granting access to a rogue application controlled by the attackers.<\/p>\n Once the user enters the attacker\u2011supplied device code on the Microsoft device login page, the Microsoft identity platform issues valid OAuth access and refresh tokens tied to the victim\u2019s account, which the attacker then captures in real time. <\/p>\n These tokens let the intruders maintain persistent access, often without raising obvious red flags in traditional credential\u2011focused monitoring. <\/p>\n Affected organizations may see unauthorized mailbox actions, file access, and potential data exfiltration, all performed under what appears to be a legitimate user context. <\/p>\n This attack flow illustrates the complete attack chain, from the initial phishing lure through device code abuse to token theft and long\u2011term account access.<\/p>\n The heart of this campaign is its misuse of the OAuth Device Authorization Grant flow, which is designed for devices with limited input options but is repurposed here to sidestep normal defenses. <\/p>\n First, the attacker registers an OAuth application in Microsoft 365 and generates a unique device code mapped to that app. <\/p>\n This code is then embedded in tailored phishing emails that direct victims to an attacker\u2011controlled landing page, where the user is prompted to enter their email and follow \u201csecure authentication\u201d steps. <\/p>\n After the victim is instructed to visit the legitimate microsoft.com\/devicelogin portal and submit the provided code, the attackers continuously poll the token endpoint and immediately hijack the issued OAuth access and refresh tokens once Microsoft approves the session. <\/p>\n To reduce risk, security teams are advised to block known malicious domains and cloud storage<\/a> URLs linked to this campaign, hunt email logs for identified sender addresses and subject patterns, and urgently audit recently consented OAuth applications for suspicious entries. <\/p>\n Where business needs allow, administrators should consider disabling the device code flow entirely or tightly restricting it through Conditional Access policies, while also reviewing Azure AD sign\u2011in logs for unusual device code activity and geographic anomalies. <\/p>\n These steps, combined with ongoing user awareness around urgent payment notices, unexpected document shares, and voicemail alerts, can help organizations detect and contain similar OAuth token<\/a> theft attempts before they cause deeper damage.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Ongoing Campaign Targets Microsoft 365 to Steal OAuth Tokens and Gain Persistent Access<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nAttack flow<\/strong><\/h2>\n
![\"Attack](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg6mdzVOo_oURifpO2GETcGamEFsqqEWdGBvRwFhRQHikZ-LEsWfAX0jai2ILaDH52c2ibC9Y4p8ZIuIgpkNStv452DerOUG1AWMQlH05KpsOTSBJsq5yPJUVXTZMSnaX_tr59gCe3Sc3GkAkc_4RJvWBq9fVH3O1QcOxMdxBiaqt0GDJseXHxFxwm0qZw\/s16000\/Attack%2520Flow%2520%28Source%2520-%2520Knowbe4%29.webp?ssl=1\")
![\"Example](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgxwSLAVswDHAH_1XVJxe8NxRezEpfJkz7DBasLF4oZHO3zoazU98NN3Tz76BuGSalUQndAAfmIFna9-mXuuXS5CuCF0tWv1ANoeZm-tufHS2c-xGxkfa6mOdD72MIYFHtYkS4z4dVt_U1fT6ksujzVHehIqsqLJFFyPZ17F_sNE8swKi9swydJRxYhQ-g\/s16000\/Example%2520of%2520compromised%2520OAuth%2520token%2520captured%2520in%2520the%2520attacker%25E2%2580%2599s%2520c2c%2520%28Source%2520-%2520Knowbe4%29.webp?ssl=1\")
![\"Example](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgKRc62DWzi3cDfbsHEli2sfoYqHGQ6QQqflfrKqCWoAMJq-pBYc3D7BAyYABil-x1cH11f74xqCZsQI0zWdizrypXkea7xNYlcgidYAQXJ77aU-zafHAJpCNe8CDZOEek6rtJ1LahOmBv-UkArP-dVVJszsOC-pujClKm_xm48arOq-09AhOAphfX_kD4\/s16000\/Example%2520of%2520attacker-controlled%2520landing%2520page%2520and%2520user%2520authentication%2520%28Source%2520-%2520Knowbe4%29.webp?ssl=1\")