Practical OAuth Abuse for Offensive Operations – Part 1

This blog post explains OAuth concepts and demonstrates how Microsoft 365/Azure AD authentication flows (notably the device authorization flow and ROPC) can be abused by attackers to obtain access tokens and refresh tokens, enabling persistent access, bypassing some defenses like password changes and leveraging MFA-protected sessions; it also describes attack techniques including social-engineered device login prompts, password spraying, and user enumeration against OAuth endpoints.