Hunt Before They Hide -From Device Codes to Fake IT Support Detecting Active Microsoft 365 Identity…

This report documents a set of active, high-impact Microsoft 365 account takeover techniques—device code phishing, AiTM proxying, silent MFA device registration, SMS passwordless abuse, and Teams helpdesk impersonation—used by both state-aligned APTs and criminal PhaaS operators. It identifies named groups and commoditized services (Storm-2372, VENOM, Kali365, EvilTokens, Tycoon2FA, SNOW variants), prescribes mitigations (deny device-code by default, require FIDO2, require admin approval for MFA registrations, restrict Teams external access), and provides 12 detailed detection/hunting KQL rules to identify and respond to compromises.