Uncovering the Sophisticated Phishing Campaign Bypassing M365 MFA

Lead Analysts: Jeewan Singh Jalal, Prabhakaran Ravichandhiran and Anand Bodke

KnowBe4 Threat Labs has detected a sophisticated phishing campaign targeting North American businesses and professionals. This attack compromises Microsoft 365 accounts (Outlook, Teams, OneDrive) by abusing the OAuth 2.0 Device Authorization Grant flow, bypassing strong passwords and Multi-Factor Authentication (MFA).

The victim is directed to the legitimate Microsoft domain (microsoft.com/devicelogin) portal to enter an attack-supplied device code. This action authenticates the victim and issues a valid OAuth access token to the attacker’s application. The real-time theft of these tokens grants the attacker persistent access to the victim’s Microsoft 365 accounts and corporate data.

Key Takeaways: Campaign at a Glance

• Novel Attack Mechanism: This campaign bypasses traditional security by not stealing credentials. Instead, it tricks the user into authenticating on the legitimate Microsoft domain, and then polls the token endpoint to capture the OAuth Access and Refresh tokens.

• Multi-Factor Authentication (MFA) Bypass: The attack is highly effective as the token theft occurs after the user successfully completes their legitimate MFA challenge.

• Targeting: The campaign is active and ongoing (first observed December 2025), is highly concentrated in North America (with 44%+ of victims in the US), and is notably targeting the tech, manufacturing, and financial services sectors.

• Major Impact: The stolen tokens grant attackers extensive, persistent access to the Microsoft 365 environment, including full read/write/send capabilities for Email, Calendar and Files (OneDrive/SharePoint), and administrative functions.
• Immediate Mitigation: Key defenses include urgently auditing recently consented OAuth applications, searching email logs for specific sender and subject patterns, and for IT/Admin teams, considering the disabling of the device code flow via Conditional Access policies.

The Five-Phase Attack Flow
The following image depicts the complete cycle of this attack, which is broken down into five distinct phases below, from the initial lure to the final token exfiltration.

Phase 1: M365 OAuth Device Code Generation & Lure: The attacker registers on the M365 OAuth application and generates a unique device code, which is then delivered to the victim via a targeted phishing email.

Phase 2: Targeted Victims Fall for the Lure: The victim receives and clicks the malicious link embedded in the phishing email.

Phase 3: Attacker-Controlled Landing Page (Fake M365 site): The victim is directed to the attacker-controlled page, where they are prompted for their email and shown the attacker’s device code with instructions to complete “Secure Authentication.”

Phase 4: User Authentication on Legitimate Microsoft Portal: The victim navigates to the real Microsoft portal (https://microsoft.com/devicelogin), enters the attacker’s device code, and successfully authenticates with their legitimate credentials and MFA.

Phase 5: Token Theft and Persistent Access: The Microsoft Identity Platform issues a valid OAuth access token, which the attacker immediately hijacks. This grants the attacker persistent, long-term access to the victim’s M365 account.

Example of attacker-controlled landing page and user authentication

Example of compromised OAuth token captured in the attacker’s c2c

Real-World Phishing Lures Observed
The success of this campaign relies heavily on sophisticated social engineering tactics that create a sense of urgency, impersonate trusted services or leverage financial incentives. KnowBe4 Threat Labs has captured several key lures used by the attackers:

Examples of real-world phishing lures in the PhishER Plus console

Indicators of Compromise (IOCs) and Actionable Defense
The efficacy of this campaign relies on the specific artifacts and patterns, which security teams can use to hunt and block the threat immediately.

Immediate Actions (For Security Teams)

1. Block IOCs: Add all known malicious domains and URLs to your email gateway and web proxy block lists.
2. Hunt for Compromise: Search email logs for the sender pattern with the identified subject patterns.
3. Audit OAuth Applications: In the Microsoft 365 Admin Center, urgently review and revoke permissions for any suspicious or unrecognized OAuth apps.
4. Review Sign-in Logs: Audit Azure AD sign-in logs for device code authentication events and query for sign-ins from unusual geographic locations.

Strategic Controls (For IT/Admin)

1. Consider Disabling Device Code Flow: Eliminate this attack vector entirely if your organization does not require the use of the device code flow for shared or public devices.

• PowerShell Command: Update-MgPolicyAuthorizationPolicy -AllowedToUseDeviceCodeFlow $false

Implementing a Human Risk Management (HRM) Approach
With the rapidly evolving tactics like this OAuth token theft campaign, security teams can no longer afford a “wait and see” approach. This attack leveraging a legitimate Microsoft domain and bypassing Multi-Factor Authentication shows that traditional perimeter defenses and simple credential checks are insufficient.

Organizations must move quickly to counter these sophisticated threats. Human Risk Management (HRM) provides the necessary framework to do this by dismantling the traditional silos between real-time threat intelligence and user awareness.

One of the most effective ways to build a defense is by transforming these real-world phishing attacks into de-fanged phishing simulations. This will provide highly accurate, contextual training that will equip users to identify and report social engineering threats in real-time.

For real-time updates and ongoing threat intelligence, follow the KnowBe4 Threat Lab on X: @Kb4Threatlabs