Microsoft 365 Tokens Stolen Through OAuth Device Authorization Attacks - cyberpress.org

Microsoft 365 Tokens Stolen Through OAuth Device Authorization Attacks By Varshini May 15, 2026 Categories: Cyber Security NewsMicrosoftPhishing Cybercriminals are abandoning traditional credential theft for a stealthier, devastating alternative OAuth device code phishing. By exploiting legitimate Microsoft 365 authorization flows, threat actors are bypassing multi-factor authentication to steal access tokens, hijack corporate emails, and launch severe ransomware attacks. What was once an obscure red-team tactic has exploded into a massive threat, supercharged by AI tools and dynamic code generation. OAuth Attacks Steal Tokens In the past, device codes expired within 15 minutes, making it difficult to time phishing attacks. Today, modern attackers dynamically generate these codes the exact moment a victim clicks a malicious link. The target is then directed to the legitimate Microsoft portal and tricked into entering the code. Once authorized, the attacker instantly intercepts the authentication tokens required for complete account takeover without ever needing the victim’s password. This alarming shift is fueled by Phishing-as-a-Service (PhaaS) platforms like EvilTokens, Tycoon, and ODx. Readily available for purchase on Telegram, these kits provide cybercriminals with everything they need to launch scalable campaigns. EvilTokens Telegram channel announcement (Source: proofpoint) They feature AI-generated landing pages that convincingly impersonate trusted brands like DocuSign, Adobe, and SharePoint. Notorious threat actors, such as the financially motivated group TA4903, have abandoned traditional business email compromise tactics to rely almost exclusively on these kits. Example of EvilTokens landing page, observed by Proofpoint in March 2026 (Source: proofpoint) In recent campaigns, attackers masqueraded as human resources departments or federal courts, delivering malicious QR codes inside PDF attachments to bypass email filters and trick users. Despite the sophisticated AI tools used to generate these campaigns, operators often expose their infrastructure due to poor operational security practices. However, traditional security awareness training such as teaching employees to spot fake URLs falls short when victims encounter the official Microsoft device login page. Example of multiple device code phishing landing pages (Source: proofpoint) According to Proofpoint research, security teams must deploy strict Conditional Access policies. The strongest mitigation is to use the Authentication Flows condition to block device code authorization entirely for all enterprise users. If blocking the flow is not feasible for business operations, organizations should create allow-lists to restrict device code usage to approved networks or require that all sign-ins originate from locally registered, compliant devices. Below are recent Indicators of Compromise (IOCs) associated with EvilTokens and ODx infrastructure to help security teams hunt for these malicious activities. Indicator Description First Seen onedrive-7tu[.]techroboticslabmade-techie-com-s-account[.]workers[.]dev EvilTokens Device Code Landing 26 March 2026 f8uh-dwam-j4l5[.]pvasquez-princetonpartners-com-s-account[.]workers[.]dev EvilTokens Device Code Landing 1 May 2026 z6e43e5886fe-endpoint[.]com Device Code Phishing Domain 5 May 2026 Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp Varshini Recent Articles Splunk Secure Gateway RCE Flaw Lets Low-Privileged Users Execute OS Commands Cyber Security News June 29, 2026 Critical Hoppscotch Flaw Lets Unauthenticated Attackers Overwrite JWT Secrets Cyber Security News June 29, 2026 Turla Hackers Use STOCKSTAY .NET Backdoor to Spy on Ukrainian Government and Military Targets APT June 29, 2026 Langflow RCE Flaw Exploited to Deploy Monero Cryptominer on AI Servers Cyber Security News June 29, 2026 ClawHub Ranking Manipulation Lets Malicious Skills Automatically Infect AI Agents AI June 29, 2026 Related Stories Cyber Security News Splunk Secure Gateway RCE Flaw Lets Low-Privileged Users Execute OS Commands Lucas Martin - June 29, 2026 Cyber Security News Critical Hoppscotch Flaw Lets Unauthenticated Attackers Overwrite JWT Secrets Lucas Martin - June 29, 2026 APT Turla Hackers Use STOCKSTAY .NET Backdoor to Spy on Ukrainian Government and Military Targets Varshini - June 29, 2026 Cyber Security News Langflow RCE Flaw Exploited to Deploy Monero Cryptominer on AI Servers Lucas Martin - June 29, 2026 AI ClawHub Ranking Manipulation Lets Malicious Skills Automatically Infect AI Agents Varshini - June 29, 2026 Cyber Security News Win32k Callback Detouring Abuses Kernel-to-User Dispatch for Remote Code Execution Varshini - June 29, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: