Phishy Business: Microsoft 365 Accounts Hooked by Clever OAuth Attacks!

Phishing attacks are getting a tech twist! Cybercriminals are using the OAuth device code authorization mechanism to sweet-talk victims into granting access to their Microsoft 365 accounts. It’s like handing over your house keys because someone asked nicely at the door. Stay cautious and don’t let cybercriminals crash your email party!

3P
Published: December 19, 2025 5:23 pmAdded: December 19, 2025 at 9:57 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Oh, Microsoft 365 users, it seems the scammers have found a loophole in your technological fortress by turning the very device login page meant to protect you into their own devious accomplice. It’s like inviting a vampire in, but instead of fangs, they come with a phishing kit and a charming smile!

Key Points:

  • Cybercriminals exploit OAuth device code authorization to access Microsoft 365 accounts without stealing credentials.
  • Phishing attacks have surged since September, involving both criminals and state-aligned actors.
  • Threat actors use phishing kits like SquarePhish and Graphish for device code attacks.
  • Campaigns include salary bonus scams, TA2723 attacks, and state-aligned activities.
  • Organizations are advised to implement Microsoft Entra Conditional Access to block these attacks.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?