Attackers phish OAuth codes, take over Microsoft 365 accounts
Suspected Russian threat actors are using OAuth-based phishing attacks to get targets to grant them access to their Microsoft 365 (M365) accounts.
“The primary tactics observed involve the attacker requesting victim’s supply Microsoft Authorization codes, which grant the attacker with account access to then join attacker-controlled devices to Entra ID (previously Azure AD), and to download emails and other account-related data,” according to Volexity researchers.
How the attack unfolds
These recently observed attacks rely heavily on one-on-one interaction with a target, as the threat actor must both convince them to click a link and send back a Microsoft-generated code.
In the spotted campaigns, the attackers impersonated officials from various European nations and Ukraine and reached out to victims using a messaging app like Signal or WhatsApp, inviting them to join a video call about the war in Ukraine.
Phishing messages via Signal and WhatsApp (Source: Volexity)
After the victim replies, the attacker sends a link that will ostensibly allow them to join the call. This link leads to a real Microsoft login page, and when the victim logs in (with their M365 account credentials), Microsoft provides them an OAuth code or a specific URL.
The attacker then asks the victim to send them that code or URL. If the victim shares it, the attacker can use it to log into the victim’s Microsoft 365 account and access their emails and files.
The researchers observed several variations of the attack.
Phishing via Visual Studio Code (Source: Volexity)
But in all of the campaigns, social engineering played a big part: targets had to be tricked into logging in, sending codes back to the attackers and, in one campaign, to approve a two-factor authentication request after the attacker registers their device to the victim’s Microsoft Entra ID tenant.
Prevention and detection
The campaigns were spotted in March 2025 and were aimed at human rights non-governmental organizations and organizations providing humanitarian aid.
Volexity could not tie these campaigns to specific government-sponsored hacking groups, but think it likely that there are overlaps between these threat actors and those that conducted Device Code Authentication phishing campaigns earlier this year.
The targets in both and the similar tactics used seem to point to Russian threat actors.
“Similar to the Device Code Authentication phishing campaigns … , these recent campaigns benefit from all user interactions taking place on Microsoft’s official infrastructure; there is no attacker-hosted infrastructure used in these attacks,” they noted.
“Similarly, these attacks do not involve malicious or attacker-controlled OAuth applications for which the user must explicitly grant access (and thus could easily be blocked by organizations). The use of Microsoft first-party applications that already have consent granted has proven to make prevention and detection of this technique rather difficult.”
Volexity has provided helpful advice for preventing and detecting these attacks, though staff- and cash-strapped organizations might have trouble implementing them.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!