Uncovering the Sophisticated Phishing Campaign Bypassing M365 MFA
Summary:
KnowBe4 Threat Labs has identified a highly sophisticated phishing campaign, active since December 2025, specifically targeting North American organizations within the technology, manufacturing, and financial services sectors. This campaign is notable for its abuse of the OAuth 2.0 Device Authorization Grant flow to circumvent traditional security measures, including strong passwords and Multi-Factor Authentication (MFA). Unlike traditional credential harvesting, this attack does not "steal" a password in the conventional sense. Instead, it utilizes a multi-phase approach where a victim is lured into entering a malicious device code into a legitimate Microsoft domain (microsoft.com/devicelogin). Once the victim authenticates, the attacker’s application polls the token endpoint to capture OAuth Access and Refresh tokens. These tokens provide the threat actor with persistent, real-time access to the victim’s Microsoft 365 environment, including Outlook, Teams, OneDrive, and SharePoint, without triggering further MFA prompts.
Security Officer Comments:
This campaign represents a significant evolution in the threat landscape because it weaponizes legitimate infrastructure to bypass our most trusted defense: MFA. By hosting the final authentication step on a genuine Microsoft portal, the attackers effectively neutralize the "visual inspection" training we give to employees. For our member organizations, the impact is severe; a successful compromise grants an attacker full read/write/send capabilities. This can lead to lateral movement via Teams, internal Business Email Compromise (BEC) that is nearly impossible to detect with standard filters, and the exfiltration of sensitive corporate data from cloud storage. Because the campaign utilizes persistent tokens, an attacker can maintain a "ghost" presence in the environment even if a user changes their password, making traditional remediation steps insufficient. Security teams should view this as a shift from "identity protection" to "token governance," as the vulnerability lies in the trusted relationship between the user and the OAuth application rather than a technical flaw in the MFA protocol itself.
Suggested Corrections:
Immediate Actions (For Security Teams)
Block IOCs: Add all known malicious domains and URLs to your email gateway and web proxy block lists.
Hunt for Compromise: Search email logs for the sender pattern with the identified subject patterns.
Audit OAuth Applications: In the Microsoft 365 Admin Center, urgently review and revoke permissions for any suspicious or unrecognized OAuth apps.
Review Sign-in Logs: Audit Azure AD sign-in logs for device code authentication events and query for sign-ins from unusual geographic locations.
Strategic Controls (For IT/Admin)
Consider Disabling Device Code Flow: Eliminate this attack vector entirely if your organization does not require the use of the device code flow for shared or public devices.
Monitor Consent: Deploy Microsoft Defender for Cloud Apps to monitor and govern OAuth app consent.
Link(s):
https://blog.knowbe4.com/uncovering-the-sophisticated-phishing-campaign-bypassing-m365-mfa
KnowBe4 Threat Labs has identified a highly sophisticated phishing campaign, active since December 2025, specifically targeting North American organizations within the technology, manufacturing, and financial services sectors. This campaign is notable for its abuse of the OAuth 2.0 Device Authorization Grant flow to circumvent traditional security measures, including strong passwords and Multi-Factor Authentication (MFA). Unlike traditional credential harvesting, this attack does not "steal" a password in the conventional sense. Instead, it utilizes a multi-phase approach where a victim is lured into entering a malicious device code into a legitimate Microsoft domain (microsoft.com/devicelogin). Once the victim authenticates, the attacker’s application polls the token endpoint to capture OAuth Access and Refresh tokens. These tokens provide the threat actor with persistent, real-time access to the victim’s Microsoft 365 environment, including Outlook, Teams, OneDrive, and SharePoint, without triggering further MFA prompts.
Security Officer Comments:
This campaign represents a significant evolution in the threat landscape because it weaponizes legitimate infrastructure to bypass our most trusted defense: MFA. By hosting the final authentication step on a genuine Microsoft portal, the attackers effectively neutralize the "visual inspection" training we give to employees. For our member organizations, the impact is severe; a successful compromise grants an attacker full read/write/send capabilities. This can lead to lateral movement via Teams, internal Business Email Compromise (BEC) that is nearly impossible to detect with standard filters, and the exfiltration of sensitive corporate data from cloud storage. Because the campaign utilizes persistent tokens, an attacker can maintain a "ghost" presence in the environment even if a user changes their password, making traditional remediation steps insufficient. Security teams should view this as a shift from "identity protection" to "token governance," as the vulnerability lies in the trusted relationship between the user and the OAuth application rather than a technical flaw in the MFA protocol itself.
Suggested Corrections:
Immediate Actions (For Security Teams)
Block IOCs: Add all known malicious domains and URLs to your email gateway and web proxy block lists.
Hunt for Compromise: Search email logs for the sender pattern with the identified subject patterns.
Audit OAuth Applications: In the Microsoft 365 Admin Center, urgently review and revoke permissions for any suspicious or unrecognized OAuth apps.
Review Sign-in Logs: Audit Azure AD sign-in logs for device code authentication events and query for sign-ins from unusual geographic locations.
Strategic Controls (For IT/Admin)
Consider Disabling Device Code Flow: Eliminate this attack vector entirely if your organization does not require the use of the device code flow for shared or public devices.
- PowerShell Command: Update-MgPolicyAuthorizationPolicy -AllowedToUseDeviceCodeFlow $false
Monitor Consent: Deploy Microsoft Defender for Cloud Apps to monitor and govern OAuth app consent.
Link(s):
https://blog.knowbe4.com/uncovering-the-sophisticated-phishing-campaign-bypassing-m365-mfa