Microsoft 365 OAuth Device Code Flow and Phishing

February 13, 2023

Microsoft has released a new guide on how to handle OAuth device code flow and phishing attacks using Microsoft 365. This guide provides information about the latest updates to the OAuth device code flow and how to prevent phishing attacks. Detecting phishing via Microsoft Teams also covered.

Updated to prevent phishing attacks

This article highlights several features in Microsoft 365 OAuth Device Code Flow that intended to mitigate phishing attacks. These features are available to Office 365 users as part of their Enterprise E5 subscription plan.

This feature allows users to reuse well-known client application ids. It also includes an additional prompt when signing into an app. This new prompt not designed to remove or bypassed, as it is meant to prevent phishing attacks.

The OAuth authorization protocol used by many cloud applications and is a standard. The protocol is a two-step process, with the first step being the authorization code. The second step is the refresh token. The refresh token is not bound to a particular resource, and obtained in exchange for the resource owner’s credentials.

OAuth phishing attacks involve compromising user information and credentials. These attacks are increasingly sophisticated and use widely-used identity systems. An attacker can mimic a victim’s access or steal credit card details.

The OAuth 2.0 authorization protocol is a standard and used by several third-party cloud applications. The protocol designed to grant limited access to resources. It not intended for use with sensitive information, such as credit card details.

In an OAuth phishing attack, the attacker generates an access token, which then passed to the victim. The access token can use to make API requests.

Man-in-the-middle attack framework used for phishing login credentials and session cookies

The man-in-the-middle attack is a cyberattack that occurs when a third party intercepts a digital conversation between two or more parties. This can result in fraudulent transactions, theft of sensitive personal information, or even identity theft.

The attacker can eavesdrop on the conversation, send phony messages, or alter the conversation in any way he wishes. This allows him to learn confidential information and access other systems. He can also send a user to a fake website, or capture their login credentials.

The man-in-the-middle, or MITM, attack can be tricky to detect. But you can prevent this type of attack with a few simple steps. First, you can change your password. Second, you can change your device’s security settings to require a two-factor authentication (2FA) process. Finally, you can update your devices to avoid common man-in-the-middle tactics.

To minimize the risk of a phishing attack, make sure you don’t use public Wi-Fi. If you do use the network, ensure that it’s encrypted. Likewise, make sure you never share your login credentials with anyone. Using a VPN can also be a good idea.

If you’re a business owner, be aware that a man-in-the-middle hacker can disrupt your business operations and steal your financial data. In 2015, 49 suspects arrested for stealing bank account credentials.

Detection of phishing via Microsoft Teams

If your company uses Microsoft Teams, you need to ensure your security team is aware of the latest phishing threats. The platform used for text, video, and audio conferencing and might also contain sensitive files shared between users.

One of the latest phishing attacks designed to impersonate Microsoft Teams. The message contains a link that takes the recipient to a fraudulent website. This website will ask for account information or login credentials. If the victim provides information, it might used to install malware on their computer.

This is a common tactic in phishing emails. The attackers use a combination of forged URLs, social engineering, and imagery copied from real Microsoft Teams emails. This makes the platform an attractive target for phishing attackers.

The attackers need valid e-mail credentials to access the phishing page. They can obtain these credentials by running a phishing campaign or buying them from initial access brokers.

After acquiring a valid e-mail address, the attacker can begin sending out phishing emails to their targeted users. These phishing campaigns can be highly convincing, but the goal can vary from stealing critical assets to demanding a ransom.

If the malicious executable installed on the user’s device, it can monitor Teams logs. This can help the attacker find out if the messages received and read by the users. Moreover, the malware could then gain access to saved messages.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

Data Security Through Data Literacy

Data Security Through Data Literacy

Unlocking data security through data literacy. Explore the pivotal role of understanding data in fortifying cybersecurity measures. Data is now pervasive, and it is important for people to understand how to work with this information. They need to be able to interpret...

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons...

Siri Privacy Risks: Unveiling the Dangers

Siri Privacy Risks: Unveiling the Dangers

Unveiling Siri privacy risks: Understand the potential dangers and take steps to enhance your digital assistant's security. Siri is a great piece of technology, but it can also be dangerous to users’ privacy. This is a serious issue that should be addressed....

Recent Case Studies

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us