TZUTC: -0500   
   MSGID: 1857.consprcy@1:2320/105 2dabfa1b   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   State actors are abusing OAuth device codes to get full M365 account access -   
   here's what we know   
      
   Date:   
   Fri, 19 Dec 2025 14:15:00 +0000   
      
   Description:   
   Researchers spotted multiple groups using the same technique and believe it's   
   only going to get worse.   
      
   FULL STORY   
      
   Cybercriminals, including state-sponsored threat actors, are increasingly   
   abusing Microsofts OAuth 2.0 device code authentication flow to take over   
   Microsoft 365 accounts.    
      
   This is according to a new report by cybersecurity researchers Proofpoint. In   
   a new paper published on December 18, researchers confirm that have seen a   
   sharp escalation of social engineering attacks since September 2025, in which   
   victims are tricked into granting access to their accounts.    
      
   The attack usually starts with a phishing email containing either a link or    
   QR code. Victims are then told that in order to view the contents, they need   
   to reauthenticate their account by entering a device code into Microsofts   
   login page.   
      
   Russians, Chinese, and others    
      
   Once they enter the code, the threat actors receive an access token tied to   
   their account, not only giving them access, but enabling email monitoring,   
   lateral movement, and more.    
      
   The login happens on a real Microsoft domain, Proofpoint further explains,   
   which means that traditional phishing defenses and user awareness checks are   
   mostly useless. The attackers arent actually stealing passwords , or MFA   
   codes, so no alarms are triggered there, either.    
      
   Proofpoint says there are multiple groups currently abusing this technique,   
   including TA2723 (a financially motivated threat actor), UNK_AcademicFlare (a   
   Russian state-sponsored threat actor targeting government and military email   
   accounts for cyber-espionage purposes), and multiple groups from China.    
      
   It was also said that the criminals are using different phishing frameworks,   
   such as SquarePhish 2 and Graphish, which automates device code abuse,   
   supports QR codes, and integrates with Azure app registrations. This lowers   
   the barrier to entry and allows even low-skilled threat actors to engage in   
   attacks.    
      
   Proofpoint believes the abuse of OAuth and device code authentication is   
   likely to grow, especially as organizations adopt paswordless and FIDO-based   
   authentication and recommends blocking device code flows via Conditional   
   Access where possible.    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/state-actors-are-abusing-oauth-device-c   
   odes-to-get-full-m365-account-access-heres-what-we-know   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: Capitol City Online (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 134 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426