Hackers Use Trusted Microsoft Domain and One-Time Codes to Hijack Corporate Accounts
ID: 1eab2577-4884-54eb-bec3-dc2dcb489060
STIX ID: report--1eab2577-4884-54eb-bec3-dc2dcb489060
Feed Name: GBHackers
A phishing campaign is abusing the OAuth 2.0 Device Authorization (Device Code) flow to get victims to paste attacker-supplied one-time codes into genuine Microsoft verification pages, leading to issuance of access and refresh tokens and prolonged stealthy access to corporate email, OneDrive, and Teams; defenders are advised to disable or restrict Device Code Flow where unnecessary, enforce strict Conditional Access, monitor DeviceCodeSignIn events, and train users to refuse unsolicited device authorizations.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
