In the ever-changing landscape of cybersecurity, enterprises face an adaptable and relentless adversary: the identity-focused attacker. As organizations increasingly move to the cloud, adopt modern authentication, and enforce multifactor authentication (MFA), the techniques used by cybercriminals to compromise corporate credentials have had to evolve. It’s no longer enough for organizations to rely solely on traditional security approaches—the modern enterprise must invest in robust identity protection, maintain an agile defense posture, and adopt solutions that are as dynamic as the threats they’re facing.
Historically, cybercriminals have targeted users’ passwords using basic phishing emails and malware designed to steal credentials through straightforward deception. However, the shift to MFA and the emergence of passwordless authentication have changed the equation. Attackers are responding by moving from simple credential harvesting to more sophisticated, multi-stage attacks targeting cloud identities and exploiting the social element of security.
The core of these new phishing strategies is social engineering—the art and science of persuading users, through deception, to surrender sensitive information, download malicious software, or approve permissions that shouldn’t be granted. While technology has advanced, human psychology remains a weak link, and sophisticated threat groups often blend technical exploits with convincing social impersonation.
The accessibility of Evilginx and similar phishing-as-a-service (PhaaS) platforms has lowered the technical barrier for conducting AiTM phishing. Groups such as Storm-0485 and Star Blizzard have successfully leveraged these tools, drawing users to well-disguised proxy pages often linked through benign-seeming, obfuscated URLs such as Google AMP links. These strategies not only make detection harder but also trick users into believing they’re interacting with a legitimate service.
Research from Microsoft indicates specific threat groups, including Storm-1249 and Storm-2372, actively exploit this method. While these attacks sometimes target high-profile officials with tailored lures (topics like taxes, civil service, or document pre-orders), what makes device code phishing especially dangerous is its ability to bypass many traditional security signals if not properly restricted by policy.
A notable twist: In some campaigns, even if users decline the permission prompt, they’re redirected to follow-up phishing domains that attempt AiTM attacks. This illustrates how multi-stage campaign structures are empowering attackers to chain together techniques for higher success rates.
LLMs enable threat groups to automate large-scale credential phishing, tailor campaigns to specific industries (such as a recent wave targeting hospitality), and even mimic the writing style of known business contacts.
Microsoft has responded by proactively blocking malicious tenants, but defending against these attacks also requires full Teams security best practices: restricting external access, enforcing domain whitelisting, and training users to recognize suspicious messages from unfamiliar or unexpected sources.
Solutions like Microsoft’s Global Secure Access (GSA) allow for tighter control of social media access on company-owned devices, minimizing the risks posed by lateral communication across platforms.
Similarly, device code phishing payloads—already mentioned for initial compromise—are repurposed for rapid internal spread, with payload efficacy measured in minutes. Multiple campaign waves can ensue as attackers attempt to net additional privileged identities before detection.
Additionally, consider the following best practices:
Microsoft Defender for Office 365 offers integrated simulation and reporting, helping organizations measure progress and adapt training to emerging threats.
Microsoft’s latest intelligence affirms two key realities: threat actors are more sophisticated and creative than ever, but the tools and frameworks to defend against them are available and accessible to all organizations. By implementing phishing-resistant, passwordless solutions, strengthening policies, and building a culture of vigilance and resilience, enterprises can stay a step ahead in the ongoing battle to protect digital identities.
Vigilance, layered security controls, and proactive adaptation will remain enterprise’s best defense against identity threats—now and into the future.
Source: Microsoft Defending against evolving identity attack techniques | Microsoft Security Blog
The Shifting Battleground: From Credentials to Identity
Historically, cybercriminals have targeted users’ passwords using basic phishing emails and malware designed to steal credentials through straightforward deception. However, the shift to MFA and the emergence of passwordless authentication have changed the equation. Attackers are responding by moving from simple credential harvesting to more sophisticated, multi-stage attacks targeting cloud identities and exploiting the social element of security.The core of these new phishing strategies is social engineering—the art and science of persuading users, through deception, to surrender sensitive information, download malicious software, or approve permissions that shouldn’t be granted. While technology has advanced, human psychology remains a weak link, and sophisticated threat groups often blend technical exploits with convincing social impersonation.
Evolving Techniques in Identity Attacks
Adversary-in-the-Middle (AiTM) Phishing
One of the most significant shifts observed by Microsoft Threat Intelligence team is the proliferation of adversary-in-the-middle (AiTM) phishing attacks, particularly as MFA use becomes more widespread. Unlike classic phishing techniques, AiTM attacks use sophisticated phishing kits (like Evilginx) to interpose a proxy server between the user and the legitimate authentication platform. This allows attackers to capture session cookies and tokens that can then be replayed—effectively bypassing MFA, one of the most crucial lines of defense.The accessibility of Evilginx and similar phishing-as-a-service (PhaaS) platforms has lowered the technical barrier for conducting AiTM phishing. Groups such as Storm-0485 and Star Blizzard have successfully leveraged these tools, drawing users to well-disguised proxy pages often linked through benign-seeming, obfuscated URLs such as Google AMP links. These strategies not only make detection harder but also trick users into believing they’re interacting with a legitimate service.
Critical Response
To counter AiTM threats, relying on MFA alone is insufficient. Organizations should combine MFA with dynamic, risk-based Conditional Access policies—such as those in Microsoft Entra ID Protection. By evaluating sign-in requests using contextual signals (IP, device, historical behavior), enterprises can dynamically adjust authentication requirements and mitigate the risk of token replay and session hijack. Zero Trust Network Access (ZTNA) and solutions like Microsoft Global Secure Access add a further layer, unifying network, identity, and endpoint access controls under a single management pane.Device Code Phishing
Another technique gaining traction is device code phishing. Attackers manipulate the device code authentication flow—originally designed for securely logging into devices with limited user interfaces—by tricking users into entering provided codes on legitimate Microsoft login pages. Once entered, the threat actors harvest authentication tokens, giving them the same level of access as the original user.Research from Microsoft indicates specific threat groups, including Storm-1249 and Storm-2372, actively exploit this method. While these attacks sometimes target high-profile officials with tailored lures (topics like taxes, civil service, or document pre-orders), what makes device code phishing especially dangerous is its ability to bypass many traditional security signals if not properly restricted by policy.
Critical Response
Microsoft strongly urges organizations to block device code authentication flows by default unless they’re strictly necessary. Where required, these flows should be tightly controlled using Conditional Access policies that assess device health, location, and risk levels before granting access.OAuth Consent Phishing
OAuth consent phishing is an increasingly popular tactic where threat actors send emails containing links that ask users to grant permissions to malicious apps via the legitimate Microsoft consent framework. Unsuspecting users can unwittingly authorize access to their accounts, often providing far-reaching permissions that allow persistent access through refresh tokens.A notable twist: In some campaigns, even if users decline the permission prompt, they’re redirected to follow-up phishing domains that attempt AiTM attacks. This illustrates how multi-stage campaign structures are empowering attackers to chain together techniques for higher success rates.
Critical Response
Organizations must restrict app consent privileges, implementing app consent policies that only permit low-risk, verified publishers, or applications registered within the corporate tenant. Regular audit of authorized applications and permissions is critical to preventing backdoor access.Device Join Phishing
Recent campaigns—some of which Microsoft has attributed to Russian state-aligned actors—have begun capitalizing on device registration exploits. Here, phishing messages are designed to trick users into authorizing attacker-controlled devices to join the corporate environment. This tactic assists adversaries in blending into the network, eventually escalating privileges via local or federated authorization loopholes.Critical Response
Enterprises should enforce strong authentication requirements for device registration and monitor all join attempts for anomalies. Conditional Access policies that tie registration to trusted locations and known device states establish a critical line of defense.Modern Lures and the Human Element
Despite advances in technical controls, social engineering remains at the heart of the most devastating phishing operations. Attackers adapt their lures to current events, organizational workflow, and even the evolving digital habits of employees.Impersonation and Social Spoofing
The rise of targeted spear phishing—campaigns that leverage publicly available information, compromised accounts, or impersonation of trusted figures—is leading to highly personalized attacks. Microsoft has tracked groups like Star Blizzard, which shifted from weaponized attachments to direct spear phishing with highly believable communications. By masquerading as known political or diplomatic figures or mimicking internal business workflows, these lures sidestep many automated security defenses.The Proliferation of QR Code Lures
QR codes have found their way into modern phishing for good reason: users are accustomed to scanning them for events, payments, or communication. Attackers now embed QR codes in emails, posters, or even SMS campaigns; one campaign involved broken QR codes to instigate a conversation and set up a follow-up attack, eventually steering victims to legitimate services (like WhatsApp) where attackers could complete account takeovers.The Influence of AI on Phishing
The accessibility of advanced generative AI and large language models (LLMs) is turbocharging the scale and credibility of phishing lures. Threat actors such as Emerald Sleet and Crimson Sandstorm have been observed using AI to generate fluent, nuanced spear phishing messages in multiple languages, erasing the tell-tale signs (poor grammar, awkward syntax) that once unmasked fraudsters.LLMs enable threat groups to automate large-scale credential phishing, tailor campaigns to specific industries (such as a recent wave targeting hospitality), and even mimic the writing style of known business contacts.
Caution
While Microsoft and OpenAI are actively tracking the misuse of generative AI in social engineering, organizations must recognize that detection will become harder as adversaries continue to refine their AI-driven tactics.Phishing Moves Beyond Email
As communication tools diversify—chat, collaboration platforms, and social media—attackers follow. Malicious parties now adopt whatever channel can reach victims, often at the intersection of business and personal life.Microsoft Teams Phishing
Threat actors such as Storm-1674 use fraudulent Teams tenants to create meetings or send chat invitations that contain malicious payloads or credential phishes. More alarmingly, recent campaigns have directly called users via Teams, simulating internal business processes to build credibility and urgency.Microsoft has responded by proactively blocking malicious tenants, but defending against these attacks also requires full Teams security best practices: restricting external access, enforcing domain whitelisting, and training users to recognize suspicious messages from unfamiliar or unexpected sources.
Social Media and Third-Party App Abuse
Threat groups regularly utilize social networks like LinkedIn and Facebook to lure targets. Mint Sandstorm, for example, combines spear phishing with intelligence gathered from public profiles to tailor attacks—demonstrating how expanded digital footprints create additional angles for exploitation.Solutions like Microsoft’s Global Secure Access (GSA) allow for tighter control of social media access on company-owned devices, minimizing the risks posed by lateral communication across platforms.
Post-Compromise: Identity as a Platform for Lateral Movement
The danger doesn’t end with an initial compromise. Modern attackers treat a breached identity as a launchpad for broader access, persistence, and lateral movement within (and sometimes across) organizations.Internal Phishing and Lateral Movement
Threat actors now use compromised accounts to send further phishing messages internally, leveraging their legitimacy. Storm-0539, a group targeting retail organizations, uses acquired helpdesk emails and internal templates to craft highly convincing AiTM phishing pages that further expand attacker footholds.Similarly, device code phishing payloads—already mentioned for initial compromise—are repurposed for rapid internal spread, with payload efficacy measured in minutes. Multiple campaign waves can ensue as attackers attempt to net additional privileged identities before detection.
Recommendations for Defense
- Configure Safe Links and other advanced anti-phishing solutions to scan both external and internal communication.
- Train staff to be skeptical even of internally sourced messages, especially those involving file sharing or unexpected requests.
- Monitor for excessive or unusual device registrations linked to individual accounts.
Toward a Defense-in-Depth Mindset
No single product or policy can guarantee protection—defense-in-depth remains essential.Identity First: MFA, Passkeys, and Beyond
The gold standard for identity protection is phishing-resistant authentication. Passwordless methods (like passkeys) now offer both usability and robust defense. Where passwordless isn’t yet feasible, mandate MFA using secure channels (such as Microsoft Authenticator) and layer in Conditional Access policies for real-time risk assessment.Additionally, consider the following best practices:
- Restrict user consent to enterprise-managed cloud applications; audit regularly.
- Only allow passkey and MFA registration from trusted, monitored devices or locations.
- Harden privileged accounts with stricter authentication and monitoring.
- Continuously review device code flow permissions and block when possible.
Human-Centered Security: Training and Simulation
Even with the most advanced controls, awareness training remains vital. Employees should undergo realistic attack simulations—including simulated Teams and internal phishing campaigns—to help build vigilance.Microsoft Defender for Office 365 offers integrated simulation and reporting, helping organizations measure progress and adapt training to emerging threats.
Zero Trust and Secure Access Solutions
A Zero Trust model assumes no implicit trust for any access request, internal or external. Solutions like Microsoft Global Secure Access (GSA) facilitate endpoint, identity, and network access management, screening both cloud and on-premises resources.Automating and Accelerating Incident Response
Given the speed and adaptability of modern threat actors, organizations must invest in automation for attack detection, response, and remediation. Microsoft’s “Secure by Default” initiative demonstrates the value of automated baseline protections, including preconfigured security defaults for new tenants.Measuring the Risk
According to Microsoft Incident Response data, nearly one in four enterprise breaches involving initial access vectors implicated phishing or social engineering. This aligns with broader industry findings: despite billions spent on security, most successful cyberattacks still start with convincing a user to click a single malicious link, scan a code, or install a rogue application.The Path Forward: Practical Recommendations
To remain resilient against evolving identity-centric attacks, organizations should:- Implement phishing-resistant authentication (passkeys, FIDO2, security keys) wherever possible.
- Layer risk-based Conditional Access and Zero Trust policies for all authentication events.
- Restrict and monitor device code authentication flows.
- Set rigorous OAuth consent policies and audit third-party apps regularly.
- Practice incident simulations across all major communication channels, not just email.
- Regularly update training content to cover current lures—such as QR codes, AI-generated phishing, and messaging platform deception.
- Seamlessly integrate security across cloud, network, and endpoint with unified management (such as Microsoft Entra and GSA).
Conclusion
The identity attack surface will continue to evolve, driven by both technology shifts and the cunning of human adversaries. Organizations must see identity protection not as a product to purchase or a box to check, but as a continuous, layered commitment—one encompassing people, process, and technology.Microsoft’s latest intelligence affirms two key realities: threat actors are more sophisticated and creative than ever, but the tools and frameworks to defend against them are available and accessible to all organizations. By implementing phishing-resistant, passwordless solutions, strengthening policies, and building a culture of vigilance and resilience, enterprises can stay a step ahead in the ongoing battle to protect digital identities.
Vigilance, layered security controls, and proactive adaptation will remain enterprise’s best defense against identity threats—now and into the future.
Source: Microsoft Defending against evolving identity attack techniques | Microsoft Security Blog
