Des codes OAuth exploit�s pour pirater des comptes Microsoft 365
Monday, December 29, 2025
What
Cybersecurity firm Proofpoint has issued a warning regarding a surge in sophisticated phishing campaigns that abuse Microsoft's legitimate OAuth 2.0 device authorization process. Attackers present victims with convincing, yet fraudulent, Microsoft OAuth authentication windows, prompting them to enter a device code disguised as a one-time password (OTP) on a genuine Microsoft verification URL. This manipulation allows threat actors to validate an original token, thereby bypassing multi-factor authentication (MFA) and establishing permanent, unauthorized access to corporate M365 accounts. The technique has evolved from targeted attacks to large-scale exploitation, enabling account takeovers, data exfiltration, and lateral movement within compromised networks.
Where
The attacks primarily target enterprise M365 accounts globally. Specific targets identified for state-aligned campaigns (e.g., UNK_AcademicFlare) include government entities, think tanks, higher education institutions, and transportation sectors in the United States and Europe. Earlier, similar OAuth abuse also affected Salesforce environments of hundreds of companies, including Google and Qantas.
When
Proofpoint observed a strong increase in these campaigns since September 2025, with state-aligned actors specifically utilizing this technique since January 2025. Earlier, similar OAuth abuse targeting Salesforce environments began in June 2025. The underlying tool, SquarePhish, was initially published on Github in 2022.
Key Factors
- •The attack leverages the OAuth 2.0 device authorization flow, a legitimate feature designed for limited-input devices like smart TVs and IoT, by tricking users into validating a generated device code on a genuine Microsoft URL, effectively bypassing MFA protections.
- •The proliferation of these attacks is significantly aided by readily available phishing kits such as SquarePhish2 and Graphish, which automate the complex OAuth Device Grant Authorization flow and simplify the creation of convincing phishing pages, lowering the barrier to entry for less skilled attackers.
- •This technique represents an evolution in phishing, shifting from voice phishing (used in earlier Salesforce attacks) to email-based social engineering, which enables threat actors to conduct campaigns at a much larger scale and overcome the typical short lifespan of device codes through automation.
- •Both financially motivated cybercriminals and state-aligned APT groups, including those linked to Russia (e.g., UNK_AcademicFlare) and China, are actively employing this method for purposes ranging from data exfiltration and extortion to corporate espionage against government, academic, and critical infrastructure sectors.
Takeaways
- →Organizations should implement robust user training programs to educate employees about the sophisticated nature of phishing attacks, especially those abusing legitimate authentication flows and disguised as OTP requests.
- →Enhance monitoring of OAuth application registrations and permissions within M365 environments, regularly auditing for suspicious or unauthorized application access and unusual login patterns that could indicate device code phishing.
- →Consider implementing Conditional Access policies in M365 that restrict device authorization flows to specific trusted devices or networks, and enforce stricter controls around the use of multi-factor authentication methods that are less susceptible to phishing, such as FIDO2 security keys.
Opens original article on Le Monde Informatique
