They say trust is the cornerstone of any relationship—especially if that relationship is between you, the internet, and a determined Russian adversary with a penchant for phishy invitations and suspicious requests for OAuth codes.
When we talk about phishing, most IT professionals, and honestly, most grandmothers, think of those infamous Nigerian prince emails or classic “update your password here” bait-and-switches. But as every dyed-in-the-wool cybercriminal knows, innovation is key. Enter the latest twist in the ever-evolving world of credential theft: phishing for OAuth codes using weaponized charm, modern messaging apps, and—just for that extra zing—Microsoft 365’s own infrastructure.
So, what’s new about this campaign? According to Volexity researchers, the attackers aren’t settling for your average mass email blasts. No, they’re getting up-close and personal—think less Nigerian prince, more cold war spy drama. The suspected Russian threat actors are rolling out one-on-one phishing ploys that wouldn’t be out of place in a clever heist movie.
Once the victim responds, they’re handed a genuine-looking Microsoft login link. Everything smells above board. (Except, perhaps, the third cup of coffee you’re about to gulp while wondering if your M365 environment is secure enough.)
Victim logs in, prompted by a reputable Microsoft page—they’re not even leaving the well-lit, paved roads of official infrastructure. But here’s the kicker: Upon logging in, Microsoft spits out an OAuth code or a URL. The attackers, ever so charming, ask the victim to send this back.
Cue the classic facepalm for security professionals everywhere. Because if the victim obliges, the attackers get ticket-to-ride access to the victim’s Microsoft 365 account—emails, files, calamitous organizational embarrassment, and all. In some variations, the hackers go one better: persuading victims to approve a two-factor authentication prompt after the attacker registers their own device to the target’s Microsoft Entra ID (yeah, that’s the snazzy new name for Azure AD).
Volexity points out the real pain for IT defenders: The attack’s reliance on official Microsoft infrastructure. There’s no rogue app or domain to block, no sketchy OAuth app asking for excessive permissions. These attackers are using Microsoft first-party applications with pre-granted consent—just the sort of “business as usual” that your admin dashboard isn’t throwing alerts about.
It’s like a bank robbery where the thieves politely ask a teller to let them in using the proper paperwork, signatures, and a solid handshake.
And just to add pepper to this cybersecurity stew, the attackers flipped the script on two-factor authentication. Instead of two-factor being a shield, it became the weapon, with the attackers coaching victims into approving their rogue device registration—effectively giving the keys to the kingdom, wrapped in best-practice packaging.
Somewhere, someone from a compliance department is softly weeping.
Now, it could be a cunning red herring laid by an entirely different group, but at this stage the tactics and target selection suggest motives far beyond simply seeing what’s inside your Outlook inbox.
Because everything happens inside Microsoft’s official, buttoned-up processes. Users aren’t staring down malware-ridden browser windows; they’re on home turf, disarmed by the familiar sight of the branded Microsoft login flow. There’s no “consent to a third-party app” red flag for your SIEM to ingest or your admin to mutter about over lunch.
Volexity’s suggestions for mitigation are practical but tough. In resource-strapped or smaller organizations—precisely those humanitarian NGOs who make all-too-frequent phishing targets—implementation poses an uphill battle. Stricter device registration oversight, real-time monitoring of sign-in logs, more focused staff training on OAuth flows… these are all effective, but far from trivial.
Let’s be honest, convincing your organization to schedule another cybersecurity training session is a bit like proposing a Monday morning fire drill. Important, but greeted with groans and strategic sick days.
The usual defense of “don’t click suspicious links!” falls flat when the link is to a real Microsoft login, and the advice to “never share your passwords!” doesn’t cover OAuth codes—many users wouldn’t know an OAuth code from a coupon code at this point.
Hidden risks abound, especially in environments that pride themselves on a zero-trust model, only to discover a new layer of trust being quietly exploited right under their nose. The campaign underscores, yet again, that user education must constantly evolve—not just to spot outdated forms of phishing, but to comprehend what legitimate-sounding requests might actually mean in practice.
The real issue? The attack route takes advantage of the trust users place in Microsoft’s legitimacy. As organizations increasingly adopt cloud-based, single sign-on systems, the surface area for social engineering increases in lockstep. The phishing landscape shifts from technical exploits to subtle tricks on human perception.
Blame the users? Tempting, but let’s not pile on. Even the sharpest IT veteran might get caught off-guard amidst a pile of messages and urgent requests, especially when an attack is so slyly interactive.
What organizations can do is redouble investment in user education, particularly focusing on emerging forms of social engineering, not just on the bog-standard “phishing 101” dogma. Real-world, targeted phishing drills—including clever OAuth requests and simulated device registration prompts—are fast becoming as essential as annual reviews of your business continuity plan.
And perhaps, it’s time we all lobby Microsoft for new detection mechanisms—ones that can flag anomalous OAuth token usage, even within first-party applications.
The future? Expect phishing playbooks to continue evolving—leaning hard into whatever legitimate platform or process seems most trustworthy at a given moment. Cybersecurity defenses, especially those dependent on rigid policies or automated systems, will need constant iteration and, above all, creative human vigilance.
It’s a reminder all too easy to forget: In the end, security isn’t just code or policy—it’s a mindset, a culture, and sometimes, just having a staffer confident enough to say, “I’m not sending you that code, even if you do claim to be from the European Commission.”
In this cat-and-mouse game, the rules are changing by the week. And that OAuth code you’re about to share? It could be the skeleton key to a world of pain. So, keep your eyes sharp, your users well-trained, and maybe—just maybe—pester your Microsoft rep about some new detection features. After all, it’s not paranoia if they really are out to phish you.
Source: Help Net Security Attackers phish OAuth codes, take over Microsoft 365 accounts - Help Net Security
Phishing in the OAuth Era: New Tricks for Old Hackers
When we talk about phishing, most IT professionals, and honestly, most grandmothers, think of those infamous Nigerian prince emails or classic “update your password here” bait-and-switches. But as every dyed-in-the-wool cybercriminal knows, innovation is key. Enter the latest twist in the ever-evolving world of credential theft: phishing for OAuth codes using weaponized charm, modern messaging apps, and—just for that extra zing—Microsoft 365’s own infrastructure.So, what’s new about this campaign? According to Volexity researchers, the attackers aren’t settling for your average mass email blasts. No, they’re getting up-close and personal—think less Nigerian prince, more cold war spy drama. The suspected Russian threat actors are rolling out one-on-one phishing ploys that wouldn’t be out of place in a clever heist movie.
The Attack Unfolds: A Social Engineering Ballet
Here’s how the operation unfolds: Threat actors, masquerading as officials from European nations or Ukraine, cozy up via trusted platforms like Signal or WhatsApp. The bait? A video call invitation purportedly about the war in Ukraine—an angle chillingly tailored to prey on humanitarian organizations and NGOs’ sense of urgency and purpose.Once the victim responds, they’re handed a genuine-looking Microsoft login link. Everything smells above board. (Except, perhaps, the third cup of coffee you’re about to gulp while wondering if your M365 environment is secure enough.)
Victim logs in, prompted by a reputable Microsoft page—they’re not even leaving the well-lit, paved roads of official infrastructure. But here’s the kicker: Upon logging in, Microsoft spits out an OAuth code or a URL. The attackers, ever so charming, ask the victim to send this back.
Cue the classic facepalm for security professionals everywhere. Because if the victim obliges, the attackers get ticket-to-ride access to the victim’s Microsoft 365 account—emails, files, calamitous organizational embarrassment, and all. In some variations, the hackers go one better: persuading victims to approve a two-factor authentication prompt after the attacker registers their own device to the target’s Microsoft Entra ID (yeah, that’s the snazzy new name for Azure AD).
Why This Phishing Technique Works So Well
You might think, “Surely people don’t just hand over OAuth codes to strangers!” But the reality is more sobering. This campaign relies on real-time, interactive manipulations rather than boring old mass emails that get flagged by basic spam filters. The subtlety is that every step happens on Microsoft’s genuine login interfaces. No shoddy lookalike domains, no browser warnings, no awkward typos (although the attackers’ grammar in Signal DMs might still be a giveaway).Volexity points out the real pain for IT defenders: The attack’s reliance on official Microsoft infrastructure. There’s no rogue app or domain to block, no sketchy OAuth app asking for excessive permissions. These attackers are using Microsoft first-party applications with pre-granted consent—just the sort of “business as usual” that your admin dashboard isn’t throwing alerts about.
It’s like a bank robbery where the thieves politely ask a teller to let them in using the proper paperwork, signatures, and a solid handshake.
Variations on a Theme: Device Registration and Two-Factor Misery
In at least one observed campaign, the attackers didn’t just stop at snatching access; they went the extra mile, registering their device to the victim’s Entra ID. This raised the bar from mere data theft to long-term persistence, even sidestepping password resets.And just to add pepper to this cybersecurity stew, the attackers flipped the script on two-factor authentication. Instead of two-factor being a shield, it became the weapon, with the attackers coaching victims into approving their rogue device registration—effectively giving the keys to the kingdom, wrapped in best-practice packaging.
Somewhere, someone from a compliance department is softly weeping.
Attribution, or, “So Who’s Behind the Curtain?”
Volexity can’t quite pin these shenanigans on any one government-backed group. Still, the researchers can do some old-fashioned dot-connecting: The targets (humanitarian NGOs, European organizations) and the methods overlap with prior Device Code Authentication phishing exploits—pointing, rather unsubtly, towards Russian threat actors.Now, it could be a cunning red herring laid by an entirely different group, but at this stage the tactics and target selection suggest motives far beyond simply seeing what’s inside your Outlook inbox.
Detection and Prevention: Easier Said Than Done
Here’s where things start to hurt. The classic tools in the IT professional’s toolkit—automatic detection of dodgy login locations, flagging unapproved OAuth apps, or blocking suspicious domains—are about as useful here as a screen door on a submarine.Because everything happens inside Microsoft’s official, buttoned-up processes. Users aren’t staring down malware-ridden browser windows; they’re on home turf, disarmed by the familiar sight of the branded Microsoft login flow. There’s no “consent to a third-party app” red flag for your SIEM to ingest or your admin to mutter about over lunch.
Volexity’s suggestions for mitigation are practical but tough. In resource-strapped or smaller organizations—precisely those humanitarian NGOs who make all-too-frequent phishing targets—implementation poses an uphill battle. Stricter device registration oversight, real-time monitoring of sign-in logs, more focused staff training on OAuth flows… these are all effective, but far from trivial.
Let’s be honest, convincing your organization to schedule another cybersecurity training session is a bit like proposing a Monday morning fire drill. Important, but greeted with groans and strategic sick days.
Real-World Implications: What Keeps IT Pros Up at Night
For front-line IT professionals, this attack is the stuff of Kafkaesque nightmares. You’re no longer fighting crude fakes or easy-to-block rogue domains—you're battling cunning operatives in your own backyard. The very interfaces your users trust are being weaponized against them.The usual defense of “don’t click suspicious links!” falls flat when the link is to a real Microsoft login, and the advice to “never share your passwords!” doesn’t cover OAuth codes—many users wouldn’t know an OAuth code from a coupon code at this point.
Hidden risks abound, especially in environments that pride themselves on a zero-trust model, only to discover a new layer of trust being quietly exploited right under their nose. The campaign underscores, yet again, that user education must constantly evolve—not just to spot outdated forms of phishing, but to comprehend what legitimate-sounding requests might actually mean in practice.
The Strengths and Limitations of Microsoft’s Architecture
It’s tempting to cast stones at Microsoft for the apparent deficiencies here, but the reality is a bit more nuanced. OAuth’s goal is to simplify secure access, minimize password sharing, and enable robust authentication. Attackers are, in a sense, simply exploiting the “user-in-the-middle”—a perennial vulnerability that technology alone can’t patch away.The real issue? The attack route takes advantage of the trust users place in Microsoft’s legitimacy. As organizations increasingly adopt cloud-based, single sign-on systems, the surface area for social engineering increases in lockstep. The phishing landscape shifts from technical exploits to subtle tricks on human perception.
Blame the users? Tempting, but let’s not pile on. Even the sharpest IT veteran might get caught off-guard amidst a pile of messages and urgent requests, especially when an attack is so slyly interactive.
Can Organizations Realistically Keep Pace?
Volexity’s advice might be sound, but for many NGOs or smaller offices, limited funds and staff all but guarantee gaps. Even well-resourced enterprises can’t watch every OAuth token in real time. And in the game of cyber cat-and-mouse, attackers only have to get lucky once—a sobering thought for security teams everywhere.What organizations can do is redouble investment in user education, particularly focusing on emerging forms of social engineering, not just on the bog-standard “phishing 101” dogma. Real-world, targeted phishing drills—including clever OAuth requests and simulated device registration prompts—are fast becoming as essential as annual reviews of your business continuity plan.
And perhaps, it’s time we all lobby Microsoft for new detection mechanisms—ones that can flag anomalous OAuth token usage, even within first-party applications.
The Inevitable Arms Race (and Why We’re All Unwilling Contestants)
The big takeaway from this campaign isn’t just the technical details, as serious as they are. It’s the brutal, ongoing arms race between those trying to secure the digital mundanity of NGOs and IT pros, and those who treat this security infrastructure as little more than a set of locks to pick, doors to jimmy, or humans to sweet-talk.The future? Expect phishing playbooks to continue evolving—leaning hard into whatever legitimate platform or process seems most trustworthy at a given moment. Cybersecurity defenses, especially those dependent on rigid policies or automated systems, will need constant iteration and, above all, creative human vigilance.
It’s a reminder all too easy to forget: In the end, security isn’t just code or policy—it’s a mindset, a culture, and sometimes, just having a staffer confident enough to say, “I’m not sending you that code, even if you do claim to be from the European Commission.”
Conclusion: The OAuth Code Conundrum
So, next time you get an urgent video call invite by Signal—especially about high-profile, geopolitically sensitive topics—pause before you log in. Not all official-looking Microsoft pages are as safe as you think, and not all requests for authentication codes are routine.In this cat-and-mouse game, the rules are changing by the week. And that OAuth code you’re about to share? It could be the skeleton key to a world of pain. So, keep your eyes sharp, your users well-trained, and maybe—just maybe—pester your Microsoft rep about some new detection features. After all, it’s not paranoia if they really are out to phish you.
Source: Help Net Security Attackers phish OAuth codes, take over Microsoft 365 accounts - Help Net Security
