A range of state-sponsored and financially motivated threat groups are abusing Microsoft’s OAuth 2.0 device authorization grant flow to trick users into giving them access into their M365 accounts.

The bad actors, which include Russia- and China-linked groups, are driving a surge since September in the use of device code phishing to convince victims to log into an applications with legitimate credentials using Microsoft’s OAuth 2.0 service, which generates a token that the hacker can steal and can lead to a takeover of the M365 account, data exfiltration, and other threats, according to researchers with Proofpoint threat research team.

The researchers had seen threat actors using device code phishing in the past, but the technique’s widespread use since September is “highly unusual,” they wrote in a report this week. “While this is not necessarily a novel technique, it is notable to see it used increasingly by multiple threat clusters.”

“From the use of malicious OAuth applications for persistent access to the abuse of legitimate Microsoft authentication flows with device codes, threat actors’ tactics to achieve account takeover are evolving with quick adoption across the threat landscape,” they wrote. “These campaigns rely heavily on social engineering, most often using lures with embedded URLs or QR codes to trick users into thinking they are securing their accounts.”

A Rise in Such Attacks

Other vendors also are expecting to see more bad actors embrace device code phishing more. In a blog post earlier this year, Alistair Greaves, director of red team operations for Bugcrowd, wrote that there several reasons for this.

“First, as organizations become more aware of traditional phishing techniques (e.g., fake login pages and credential stuffing), adversaries must find new ways to bypass existing security controls,” Greaves wrote. “Although device code phishing is a relatively old technique … it still offers a stealthier alternative. This is because it does not require victims to input credentials into a fake login page, which can often be detected by trained users or security tools.”

Users instead are lured into entering what seems like a legitimate code in a well-known Microsoft authentication portal, which makes it more difficult to see it as a phishing attempt. It also relies heavily on the behavior of users who’ve grown used to authentication prompts for collaborative tools, making them less likely to question a request for device code authorization.

In addition, the scheme can be executed via email, SMS, a phone call, or within collaborative tools or external chat services, he wrote.

QR Codes, Hyperlinked Text, and Buttons

In the most recent case, Proofpoint researchers wrote that the campaigns start with a message with a URL embedded behind a button, as hyperlinked text, or in a QR code. The attack sequence is kicked off when a user hits the URL and initiates the legitimate Microsoft device authorization process.

“Once initiated, the user is presented with a device code,” they wrote. “It is either presented directly on the landing page or received in a secondary email from the threat actor. The lures typically claim that the device code is an OTP [opt-in computing] and direct the user to input the code at Microsoft’s verification URL. Once the user inputs the code, the original token is validated, giving the threat actor access to the targeted M365 account.”

The message can differ based on the campaign, with some saying they are token re-authorization notifications and others using different lures.

SquarePhish, Graphish Tools Used

The campaigns tend to use two different tools, SquarePhish was first published in 2022 by Secureworks, then a Dell company, and last year, an independent researcher published SquarePhish2 on GitHub. SquarePhish uses a QR code directs users to a website hosted on a SquarePhish2 server and kicks off an attack that initiates the OAuth device authorization grant flow.

Scammers also are using the Graphish phishing kit, which is shared on dark web hacking forums that can create convincing phishing pages using the Azure App Registrations and reverse proxy setups. It can launch adversary-in-the-middle (AiTM) attacks and OAuth-based phishing attempts.

Proofpoint tracked several campaigns, including one on December 8 that used a shared document reminder alert to lure users into clicking a Google Share URL hyperlinked as text to access a fake document called “Salary Bonus + Employer Benefit Reports 25.” Clicking on the URL sends the victim to a website controlled by the bad actor and prompts the user to input their email address. Doing so leads to a prompt to complete authentication that includes a code that, once put into the Microsoft-provided OAuth page gives the attacker access to the user’s M365 account.

TA2723 on the Attack

A financially motivated threat group, TA2723, in campaigns starting in October with a message that appeared to be a corporate notice regarding an amended salary. The message was “customized to show the recipient’s name and the name of the shared file, consistent with the subject line. The message contained a virtoshare.com URL embedded as a ‘button’ to Open the file,” the researchers wrote.

The victim is enticed to click on the button, which sets off a chain where they are redirected to Microsoft’s legitimate device authorization page where they end up authorizing access to the attacker-controlled application. The researchers suspect that both SquarePhish2 and Graphish were used by TA2723 in its attacks.

Russia, China Groups Using Tactic

Nation-state groups are increasingly using phishing techniques – like OAuth device code authorization – that don’t need passwords, a tactic used mostly by Russian-linked criminals, they said, noting a report earlier this year from Veloxity.

“State-aligned threat actors often conduct patient rapport building via benign outreach prior to a device code phishing attempt, with some campaigns showing evidence of multi-channel targeting via both email and other communication channels,” Proofpoint researchers wrote.

They point to a Russian group dubbed UNK_AcademicFlare using compromised email addresses from government and military organizations to target governments, think tanks, higher education, and transportation entities in the United States and the UK. The campaign uses a spoofed OneDrive accounts to kick off a device code phishing workflow.