Microsoft 365 OAuth Hijacking: How Attackers Bypass MFA

A sophisticated phishing campaign is targeting North American businesses and professionals, compromising Microsoft 365 accounts – including Outlook, Teams, and OneDrive – by exploiting a vulnerability in the OAuth 2.0 Device Authorization Grant flow. This technique allows attackers to bypass multi-factor authentication (MFA), gaining persistent access to sensitive corporate data.

Understanding the Attack

Traditionally, attackers focused on stealing usernames, and passwords. This new campaign shifts the focus to OAuth access tokens. The attack doesn’t attempt to steal credentials. instead, it tricks users into granting access to attackers through legitimate Microsoft domains. Here’s how it works:

1. OAuth Application Registration: Attackers register an OAuth application capable of requesting Microsoft 365 data.
2. Device Code Generation: The attacker initiates a device authorization flow, generating a unique device code and a legitimate Microsoft verification URL (e.g., https://microsoft.com/devicelogin).
3. Phishing Delivery: This code is delivered to victims via phishing emails, fake notifications, or even voice calls, often framed as a request to “verify a device,” “restore access,” or “complete security checks.”
4. Legitimate Authentication: The victim visits the genuine Microsoft login page, enters the attacker’s code, and successfully authenticates, including completing MFA.
5. Token Theft & Access: The Microsoft Identity Platform issues a valid OAuth access token, which the attacker intercepts. This grants them persistent access to the victim’s Microsoft 365 account as a trusted application.

Why MFA is Bypassed

The critical element of this attack is that the token theft occurs after the user successfully completes MFA. This means the attacker isn’t breaking MFA; they’re leveraging a legitimate authentication process to gain authorized access. The OAuth flow is being abused, not broken.

Who is Being Targeted?

This campaign, first observed in December 2025, is heavily concentrated in North America, with over 44% of victims located in the United States. The tech, manufacturing, and financial services sectors are being particularly targeted .

The Impact of a Successful Attack

Once attackers obtain the OAuth tokens, they gain extensive access to the victim’s Microsoft 365 environment, including:

• Full read, write, and send capabilities for email, calendar, and files (OneDrive/SharePoint).
• Administrative functions within the organization.
• Persistent access, meaning the attacker can maintain access even if the victim changes their password.

Protecting Your Organization

Security teams can implement several measures to mitigate the risk of these attacks:

• Block Indicators of Compromise (IOCs): Add known malicious domains and URLs to email gateway and web proxy blocklists.
• Monitor Email Logs: Search email logs for sender patterns and subject lines associated with the campaign.
• Review OAuth Applications: Use the Microsoft 365 admin center to review and revoke permissions for suspicious or unknown OAuth applications.
• Analyze Azure AD Sign-in Logs: Check for device code authentication events and identify sign-ins from unusual geographic locations.
• Disable Device Code Flow (Conditional): If your organization doesn’t require the device code flow for shared or public devices, disable it using PowerShell: Update-MgPolicyAuthorizationPolicy -AllowedToUseDeviceCodeFlow $false.
• Conditional Access Policies: Implement conditional access policies to strictly control who can use the device code flow, when, and where.
• Monitor App Consent: Utilize Microsoft Defender for Cloud Apps to monitor and control OAuth app consent.

The Evolving Threat Landscape

This OAuth token theft campaign demonstrates that traditional security approaches focused solely on credentials are no longer sufficient. Organizations must adopt a more proactive and comprehensive security posture, focusing on real-time threat intelligence, user awareness training, and robust token protection. Protecting identity now means protecting tokens and app consent, not just user credentials .