AI‑Driven OAuth Device Code Phishing Campaign Compromises Enterprise Accounts at Scale
What Happened – Microsoft Defender Security Research identified a coordinated phishing operation that automates the OAuth Device Code flow. Using AI‑generated code and serverless infrastructure, attackers present a legitimate‑looking device‑code page, capture the code, and obtain an access token without the user’s credentials or MFA.
Why It Matters for TPRM –
- The technique bypasses MFA, undermining a core security control many vendors rely on.
- It exploits a standard authentication protocol (OAuth Device Code) that is widely enabled across SaaS and cloud services, creating a supply‑chain risk.
- Automated, AI‑assisted delivery enables rapid, large‑scale compromise of third‑party accounts.
Who Is Affected – Organizations that use Microsoft 365, Azure AD, or any SaaS platform that enables the OAuth Device Code flow; especially vendors classified as IAM, cloud‑host, or SaaS providers.
Recommended Actions –
- Review and restrict the use of the OAuth Device Code flow for all third‑party applications.
- Enforce conditional access policies that block token issuance from unknown devices or IP ranges.
- Deploy user‑education campaigns focused on recognizing device‑code phishing lures.
- Monitor authentication logs for anomalous device‑code generation and token issuance.
Technical Notes – Attackers conduct reconnaissance 10‑15 days before launch, then deliver phishing emails that bypass gateways via compromised legitimate domains and domain‑shadowing. A hidden automation script generates a live device code, copies it to the clipboard, and tricks the user into pasting it into the official Microsoft login page, granting the attacker an OAuth access token. No CVE is involved; the abuse is protocol‑level. Source: Help Net Security