A new phishing technique, uncovered by ReversingLabs, exploits Microsoft 365 accounts without requiring passwords. Instead of fake login pages, attackers use a legitimate Microsoft sign-in process, leveraging OAuth 2.0 Device Authorization Grant flow. Victims unknowingly permit access to their accounts by completing a genuine authentication process, making the attack hard to detect.
The phishing campaign disguises itself as business emails, leading victims to a real Microsoft page where they enter a verification code linked to the attacker's device. The phishing kit employs tactics to avoid detection, such as embedding invisible characters. Users are advised to treat unsolicited login codes with suspicion, and organizations should monitor sign-in logs for unauthorized access patterns.