OAuth Device Code Phishing Targeting Microsoft 365

Overview

Organizations are facing a widespread and actively exploited phishing campaign targeting Microsoft 365 (M365) environments through abuse of the OAuth 2.0 device authorization flow. Commonly known as OAuth device code phishing, this technique exploits Microsoft’s legitimate device login mechanism to obtain unauthorized OAuth access tokens.

By convincing users to enter attacker-generated device codes on official Microsoft login pages, threat actors gain persistent access to Microsoft 365 resources without stealing passwords. Due to its reliance on legitimate authentication infrastructure, this attack is difficult to detect using traditional phishing or credential-based controls and should be treated as a high-priority identity threat.

Who It Impacts

• Microsoft 365 users across enterprise and cloud environments
• Organizations using Azure AD / Microsoft Entra ID
• Users with access to email, collaboration tools, and sensitive data
• Privileged users and executives, who are frequently targeted for persistence and lateral movement

How It Impacts

Successful exploitation may result in:

• Unauthorized access to Microsoft 365 accounts via attacker-issued OAuth tokens
• Persistent account access even after password resets
• Theft of email, chat, document, and directory data
• Business Email Compromise (BEC) and user impersonation
• Abuse of trusted accounts for internal phishing and propagation
• Reduced visibility and delayed detection due to legitimate OAuth activity

Targeted Products

• Microsoft 365 (Exchange Online, OneDrive, SharePoint, Teams)
• Azure Active Directory / Microsoft Entra ID
• Microsoft OAuth 2.0 Device Authorization Flow

Recommendations:

Identity Hardening

• Restrict or block OAuth device-code authentication using Conditional Access policies
• Deploy changes initially in report-only or policy impact mode
• Limit device-code authentication to approved users, roles, and trusted IP ranges
• Require compliant or registered devices, particularly for privileged users

Monitoring and Governance

• Regularly audit OAuth app registrations and consent grants
• Monitor OAuth token usage and anomalous sign-in behavior
• Alert on new or suspicious OAuth application authorizations

User Awareness

• Update security training to explicitly instruct users never to enter verification codes received via email, QR codes, or unexpected prompts, even when redirected to legitimate Microsoft login pages.

Indicators of Compromise (IOCs)

Domains

• xgjtvyptrjlsosv.live
• vaultally.com
• docifytoday.com
• filetix.com
• nebulafiles.com
• novodocument.com
• spacesdocs.com
• acxioswan.com
• acxishare.com
• collabodex.com
• infoldium.com
• renewauth.com
• myfilepass.com
• confidentfiles.com
• magnavite.com
• bluecubecapital.com
• allspringglobalinvestmentsllc.onmicrosoft.com
• aresmanagementllc.onmicrosoft.com
• citadeladvisorsllc.onmicrosoft.com
• cpuhp.onmicrosoft.com
• millenniummanagementllc.onmicrosoft.com

URLs

• hxxps://sharefile.progressivesharepoint.top/
• hxxps://progressiveweba.z13.web.core.windows.net
• hxxps://agimplfundmgt.z13.web.core.windows.net
• hxxps://blackrockfundmgt.z13.web.core.windows.net
• hxxps://login.microsoftonline.com/common/oauth2/deviceauth
• hxxps://portal.msprogresssharefile.cloud/
• hxxps://sharingfilesystems.z13.web.core.windows.net
• Hxxps://clientlogin.blitzcapital.net/
• Hxxps://myapplicationinterfaces.s3.eu-north-1.amazonaws.com/index.html
• hxxps://corphostedfileservices.s3.eu-north-1.amazonaws.com/auth.html

IP Addresses

• 196.251.80.184

References

• https://cybersecuritynews.com/hackers-using-phishing-tools/#google_vignette
• https://www.bleepingcomputer.com/news/security/microsoft-365-accounts-targeted-in-wave-of-oauth-phi…
• https://www.itpro.com/security/phishing/warning-issued-as-surge-in-oauth-device-code-phishing-leads…
• https://www.infosecurity-magazine.com/news/oauth-phishing-campaigns
• https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization…