AI-Powered Phishing Attacks Exploit OAuth Vulnerability Bypassing Multi-Factor Authentication
Device Code Phishing Campaign Exploits OAuth Flow to Evade MFA Expiration
A sophisticated phishing campaign has been uncovered that leverages artificial intelligence to automate the device code phishing process, thereby bypassing the standard 15-minute window for Multifactor Authentication (MFA).
- This campaign exploits the OAuth Device Code Authentication flow, designed for input-constrained devices, to achieve persistent enterprise account compromise.
- The attackers employ a multi-stage delivery approach, utilizing compromised legitimate domains and serverless hosting to evade detection by traditional gateway defenses.
- The campaign commences with tenant validation, confirming the existence and activity of the target organization.
- Subsequently, the attackers utilize browser-in-the-browser iframes to simulate trusted login environments, preload malicious pages that auto-copy generated device codes to the clipboard, and trick victims into pasting these codes into official login portals, unwittingly authenticating the attacker’s parallel session during MFA completion.
- Once the attacker’s background script detects MFA completion, it initiates real-time polling to obtain an access token for the attacker’s session. Within 10 minutes, the Primary Refresh Token (PRT) is registered, establishing long-term persistence.
- This campaign showcases the evolution of threat actors, who have developed capabilities such as reconnaissance automation, delivery obfuscation, real-time authentication hijacking, and persistence establishment, all executed with minimal human latency across thousands of targets simultaneously.
Microsoft Defender Security Research has identified this campaign as a significant threat, highlighting the vulnerability of legitimate OAuth flows in the absence of vigilant monitoring, behavioral analytics, and session context validation.
As a result, enterprise Single Sign-On (SSO) has become a liability when legitimate flows lack originating context verification and behavioral anomaly scoring across the authentication ceremony.
Mitigation Strategies
- Organizations should implement OAuth monitoring, audit device code issuance frequency and volume, enable continuous access evaluation, revoke anomalous sessions, and deploy browser security measures to block clipboard manipulation.
- Application consent policies should be restricted to limit scopes, and behavioral baselines should flag anomalous clipboard activity, iframe overlays, and OAuth polling patterns.
By taking proactive steps, organizations can protect themselves against this sophisticated phishing campaign and other similar attacks that exploit the OAuth protocol.
About Author
English