How a New Phishing Trick Bypasses Microsoft 365 MFA
141A new phishing method has emerged that can trick employees into bypassing Microsoft 365’s multi-factor authentication (MFA). This attack uses a clever tactic involving OAuth device registration to give hackers ongoing access to a victim’s account without needing their password. It’s a sophisticated way to break into Microsoft accounts, and it’s mostly targeting businesses and professionals in North America.
How the Attack Works
The attack starts with an email that looks convincing. It might claim to be about a payment, a bonus, a voicemail, or some other important message. The email contains a link that, when clicked, directs the victim to a real Microsoft Office 365 login page. Along with the link, the message asks the user to enter a ‘Secure Authorization’ code.
Here’s the trick: the code isn’t just a one-time password. Instead, it’s a device registration code controlled by the hacker. When the victim enters this code, it’s actually granting the attacker’s device access to their Microsoft account through OAuth. This process is similar to how a smart TV is added to a streaming service, using device registration rather than traditional login credentials.
Why Is This Dangerous?
The main issue is that the attacker gains OAuth tokens—access and refresh tokens—that allow persistent access to the victim’s account. This isn’t about stealing passwords; it’s about hijacking the account’s device authorization. Once set up, the hacker can access emails, files, and apps like Outlook, Teams, and OneDrive without the victim knowing.
This attack exploits how Microsoft 365 and other sites use the OAuth 2.0 Device Authorization Grant process. It’s a way for new devices to be added to an account without needing full credentials, which makes it harder for traditional MFA methods to stop these breaches. While this isn’t entirely new—experts have seen similar tactics before—the way it’s being used now is particularly effective.
Historically, threat actors have used OAuth for phishing since at least 2015. Microsoft warned about ‘consent phishing’ in 2020, where attackers try to get permission to install malicious apps on accounts. Some security researchers even admit they’ve fallen for similar scams. The key defense is to limit which applications can connect to user accounts, and Microsoft offers tools to allow administrators to whitelist trusted apps only.
How to Protect Against This Threat
Security experts recommend restricting app permissions for users. Administrators should carefully manage which applications are allowed to connect via OAuth, reducing the risk of malicious device registration. This can be done through enterprise security settings that allow only approved apps to access user data.
Another important step is user education. Employees should be trained to recognize suspicious emails and not enter codes or click links from untrusted sources. Organizations should also monitor account activity for unusual device registrations or access patterns that could indicate a breach.
While no security measure is foolproof, combining technical controls with awareness training gives the best defense. As attackers continue to develop new methods, staying informed and proactive is key to protecting sensitive information in cloud environments like Microsoft 365.
What do you think?
It is nice to know your opinion. Leave a comment.