New phishing campaign tricks employees into bypassing Microsoft 365 MFA
Summary
A new phishing campaign is bypassing Microsoft 365 MFA by abusing the OAuth device registration process. Attackers trick users into entering a code on a legitimate Microsoft login page, which in turn grants the attacker's device OAuth access to the user's account, including Outlook, Teams, and OneDrive.
IFF Assessment
This phishing campaign successfully bypasses MFA, a critical security control.
Defender Context
Defenders need to educate users about this specific phishing technique, emphasizing the importance of verifying the legitimacy of device authorization requests. Organizations should monitor OAuth app permissions and usage, consider conditional access policies to restrict device registration, and implement phishing-resistant MFA methods where possible. This OAuth abuse technique highlights the evolving sophistication of phishing attacks.