Microsoft Defender Security Research has exposed an advanced AI-assisted phishing campaign abusing OAuth Device Code Authentication flow to bypass standard 15-minute code expiration, achieving persistent enterprise account compromise through end-to-end automation.
Legitimate Flow Weaponized Against MFA
Device Code Authentication—designed for input-constrained devices—generates unique codes entered on secondary browsers. Attackers decouple victim authentication from originating session: user authorizes attacker’s background session granting full account access without credential exposure.
Campaign begins with tenant email validation confirming target existence/activity. Multi-stage delivery evades email gateways via compromised legitimate domains, serverless hosting. Browser-in-the-browser iframes simulate trusted login environments.
Clipboard Injection Automates Code Transfer
Malicious pages preload hidden automation intercepting Microsoft identity platform. Generated device codes auto-copied to clipboard; victims paste into official login portals unknowingly authenticating attacker’s parallel session during MFA completion.
Background scripts enter real-time polling detecting MFA completion. Success triggers access token issuance to attacker’s session. Primary Refresh Token (PRT) registration within 10 minutes establishes long-term persistence.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
Post-Compromise Objectives Vary
Some actors immediately register new devices; others delay hours avoiding detection while creating malicious inbox rules, exfiltrating email data. Microsoft Graph reconnaissance filters high-value targets for lateral movement.
Reputation bypass combines subdomain hijacking, legitimate domain abuse. Lures mimic document signing, voicemail notifications, access requests. Pre-loaded email addresses trigger personalized device code generation enhancing credibility.
Traditional email security fails against legitimate OAuth flows. Endpoint solutions miss browser automation. Behavioral baselines must flag anomalous clipboard activity, iframe overlays, OAuth polling patterns.
Defense Requires OAuth Monitoring
- Audit device code issuance frequency/volume
- Implement application consent policies restricting scopes
- Enable continuous access evaluation revoking anomalous sessions
- Deploy browser security blocking clipboard manipulation
Campaign demonstrates threat actor evolution: reconnaissance automation, delivery obfuscation, real-time authentication hijacking, persistence establishment—all orchestrated eliminating human latency across thousands of targets simultaneously.
Microsoft Identity Platform Implications
OAuth protocol integrity preserved but implementation gaps exposed. Legitimate enterprise feature becomes attacker force multiplier absent vigilant monitoring, behavioral analytics, session context validation.
15-minute expiry rendered irrelevant through dynamic regeneration. Enterprise SSO becomes liability when legitimate flows lack originating context verification, behavioral anomaly scoring across authentication ceremony.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
