CyberheistNews Vol 16 #07 Uncovering the Sophisticated Phishing Campaign Bypassing M365 MFA
CyberheistNews Vol 16 #07 Uncovering the Sophisticated Phishing Campaign Bypassing M365 MFA
Publish Date: 2026-02-17 10:05:00
Source Domain: blog.knowbe4.com
CyberheistNews Vol 16 #07 | February 17th, 2026
Uncovering the Sophisticated Phishing Campaign Bypassing M365 MFA
KnowBe4 Threat Labs has detected a sophisticated phishing campaign targeting North American businesses and professionals. This attack compromises Microsoft 365 accounts (Outlook, Teams, OneDrive) by abusing the OAuth 2.0 Device Authorization Grant flow, bypassing strong passwords and Multi-Factor Authentication (MFA).
The victim is directed to a legitimate Microsoft domain to enter an attack supplied device code. This action authenticates the victim and issues a valid OAuth access token to the attacker’s application. The real-time theft of these tokens grants the attacker persistent access to the victim’s Microsoft 365 accounts and corporate data.
Key Takeaways: Campaign at a Glance
- Novel Attack Mechanism: This campaign bypasses traditional security by not stealing credentials. Instead, it tricks the user into authenticating on the legitimate Microsoft domain, and then polls the token endpoint to capture the OAuth Access and Refresh tokens.
- Multi-Factor Authentication (MFA) Bypass: The attack is highly effective as the token theft occurs after the user successfully completes their legitimate MFA challenge.
- Targeting: The campaign is active and ongoing (first observed December 2025), is highly concentrated in North America (with 44%+ of victims in the U.S.), and is notably targeting the tech, manufacturing and financial services sectors.
- Major Impact: The stolen tokens grant attackers extensive, persistent access to the Microsoft 365 environment, including full read/write/send capabilities for Email, Calendar and Files (OneDrive/SharePoint), and administrative functions.
- Immediate Mitigation: Key defenses include urgently auditing recently consented OAuth applications, searching email logs for specific sender and subject patterns, and for IT/Admin teams, considering the disabling of the device code flow via Conditional Access…
