ANY.RUN has identified a sharp rise in phishing campaigns exploiting Microsoft’s OAuth Device Code authentication flow, uncovering more than 180 malicious URLs within a single week. This emerging technique allows attackers to gain access to corporate environments without directly stealing user credentials, making it particularly dangerous for enterprise security teams.

The campaign manipulates users into completing a legitimate Microsoft authentication process. Victims are typically redirected to a fake document-sharing page, often impersonating services like DocuSign, where they are prompted to review a file. Instead of requesting login credentials, the page provides a verification code and instructs the user to continue to a real Microsoft login portal.

When the victim enters the code on the official Microsoft authentication page, the system unknowingly grants OAuth tokens to the attacker. These tokens provide access to sensitive resources within Microsoft 365 environments, including emails, files, and collaboration tools.

This phishing method is particularly challenging for Security Operations Center (SOC) teams because it leverages legitimate infrastructure and secure communication channels. Key challenges include:

  • Authentication occurs on genuine Microsoft domains

  • Users enter credentials and MFA on real login pages

  • All activity is conducted over encrypted HTTPS traffic

  • Access is granted via OAuth tokens instead of stolen passwords

Because no credentials are directly compromised, traditional detection tools often fail to flag the activity as malicious.

Once attackers obtain OAuth tokens, they can infiltrate corporate Microsoft 365 environments. In some cases, refresh tokens enable long-term persistence, allowing attackers to maintain access even after initial sessions expire. This can lead to serious consequences such as data exfiltration, business email compromise (BEC), and full account takeover.

ANY.RUN highlights that early detection requires deeper visibility into encrypted traffic. Its sandbox environment uses SSL decryption to extract TLS keys and analyze HTTPS traffic in real time. This enables the identification of hidden malicious indicators, such as suspicious API calls and custom headers used in phishing workflows.

Security teams can benefit from:

  • Faster identification of phishing infrastructure

  • Improved validation of suspicious authentication flows

  • Stronger indicators of compromise (IOCs)

  • Reduced response time to contain threats

Additionally, ANY.RUN integrates with SIEM and SOAR platforms, enabling organizations to operationalize threat intelligence quickly and detect related attacks across their environments. Organizations using interactive sandbox analysis report improved efficiency, including reduced investigation time, fewer escalations, and faster incident response. By providing clear visibility into attacker behavior, security teams can move from uncertainty to decisive action more quickly.

This surge in OAuth-based phishing underscores a broader shift toward identity-focused attacks, where adversaries exploit trusted authentication mechanisms instead of traditional malware making proactive monitoring and rapid response more critical than ever.

Recommended Cyber News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com