Microsoft 365: Phishing Campaign Bypasses MFA by Exploiting the OAuth Protocol
This text was generated using artificial intelligence (AI).Update July 8, 2026: In addition, an advanced variant of the attack has been identified that uses AES-GCM-encrypted HTML landing pages and is decrypted exclusively within the victim’s browser („Ghost Code“ technique). This method makes detection by security solutions significantly more difficult. See below for details.
A phishing campaign that specifically targets Microsoft 365 accounts has been observed since at least April 2026. Cisco Talos published a comprehensive analysis of this campaign on June 30, 2026. Attackers are exploiting a legitimate feature—the OAuth 2.0 Device Authorization Grant Flow – to bypass multi-factor authentication (MFA) and gain access to corporate data. The campaign uses the Phishing-as-a-Service (PhaaS) kit ARToken, which, according to Cisco Talos, is an affiliate or customer of the EvilTokens-platform and shares its infrastructure and API contracts.
The Facts at a Glance:
Attack method: Microsoft 365 device code phishing via the OAuth 2.0 flow; new variant with AES-GCM-encrypted landing pages.
Tooling: ARToken PhaaS Panel shares infrastructure and operational patterns with EvilTokens; another related kit: Kali365.
Target: Takeover of Microsoft 365 accounts through the theft of OAuth access and refresh tokens.
Persistence: According to Cisco Talos, stolen OAuth refresh tokens remain valid even after the victim changes their password, unless they are explicitly revoked.
New Technology: „Ghost Code“ phishing, which uses browser-based decryption, makes detection by email gateways and sandboxes more difficult.
Protection: Standard MFA is ineffective. Only phishing-resistant MFA (FIDO2) and blocking the device code flow provide protection.
How the Attack on Microsoft 365 Accounts Unfolded
The attack exploits a sign-in feature designed for devices without a browser or with limited input capabilities, such as smart TVs or IoT devices. Instead of entering sign-in credentials directly, the device displays a code. The user enters this code on a second, already authenticated device on a legitimate Microsoft sign-in page, thereby authorizing the new device.
The attack chain begins with a phishing email that tricks the victim into clicking a link under the pretense of verifying an invoice. This link leads to a page that triggers a legitimate Microsoft login request in the background. The victim is shown an authentic-looking Microsoft page displaying a device code. If the user enters this code, they unwittingly authorize the attacker’s session. The attacker then receives an access token and a refresh token, granting them access to email, OneDrive, and SharePoint.
The particular danger lies in the persistence of the stolen OAuth Refresh Tokens: According to Cisco Talos, they remain valid even after the affected user changes their password. In addition, ARToken uses what is known as „broker mode“ to achieve PRT-like persistence via the Microsoft Authentication Broker. Only an explicit revocation of the tokens via Microsoft Entra ID terminates the attacker’s access.
Ghost Phishing: Concealment Through Browser-Side Decryption
The newly observed attack variant relies on an advanced obfuscation technique known as „Ghost Code“ phishing. In this technique, the phishing landing pages are delivered encrypted with AES-GCM. The decryption key is embedded as a fragment identifier (according to the #(character) in the URL and never reaches the server. Decryption takes place exclusively in the victim's browser using client-side JavaScript.
This method offers attackers several advantages: Email security gateways and sandboxes cannot analyze the encrypted content because they do not have access to the URL fragment. Even if security solutions inspect the landing page, the actual phishing content remains hidden. Only when a real user clicks the full link in the email does the deceptively authentic Microsoft sign-in page with the device code become visible.
This technology significantly increases the campaign's success rate, as traditional URL reputation systems and content filters are ineffective. For security teams, this means that preventive controls such as email filtering and link scanning alone are not enough.
ARToken and EvilTokens: The PhaaS Ecosystem
Behind the campaign is the ARToken panel, which is marketed as Phishing-as-a-Service (PhaaS). As Cisco Talos reported in late June 2026, ARToken shares infrastructure, API contracts, and operational patterns with the EvilTokens platform and is classified as its affiliate or customer. In addition to ARToken, Kali365 is another known PhaaS kit that exploits the same vulnerability in the Microsoft Device Authorization Flow. These kits significantly lower the barrier to entry for attackers by providing a professional infrastructure for carrying out phishing attacks and managing compromised accounts.
Recommended Precautions
Since this involves the misuse of a protocol design, there is no traditional software patch. Protection requires a combination of technical controls and awareness-raising.
Immediate measures: Instruct employees never to enter device codes they have received via unsolicited emails. If a compromise is suspected, administrators must immediately revoke all refresh tokens for the affected user using the revokeSignInSessions Revoke in Microsoft Entra ID.
Short-term measures: Provide targeted training for employees on the risks of device code phishing and the new "ghost code" variant. Monitor Azure logs for suspicious OAuth token activity, unauthorized device code authentications, and unexpected PRT registrations. Audit existing inbox rules and OAuth consents. Implement behavior-based anomaly detection, as signature-based systems cannot detect encrypted phishing pages.
Long-term curing: The most effective protection is to disable the device code authentication flow using Conditional Access Policies in Microsoft Entra ID. This feature should be blocked for standard users and allowed only for explicitly documented and monitored service accounts (e.g., for IoT use cases). Implement phishing-resistant MFA such as FIDO2 or passkeys, as traditional MFA methods are bypassed in this attack.
Relevance for Companies in Germany, Austria, and Switzerland
For companies in Germany, Austria, and Switzerland, the following applies: If personal data is accessed or compromised as a result of a successful account takeover, there is an obligation under Article 33 of the GDPR to report the incident to the competent data protection authority within 72 hours of becoming aware of it. As a central communication and collaboration platform, Microsoft 365 is also relevant in the context of NIS-2: Operators of essential and important facilities are required to demonstrate that they have implemented appropriate technical measures to secure authentication procedures and to report security incidents. Organizations should verify whether their authentication configuration complies with the requirements of these regulations.
Classification by LocateRisk
The attack described highlights the need for comprehensive visibility into one's own IT infrastructure and the associated risks.
External Attack Surface Management (EASM): Microsoft 365 is an externally accessible service that forms part of a company’s attack surface. An EASM platform such as LocateRisk continuously inventories all external assets, including the Microsoft services associated with your organization. This provides the necessary visibility to review configurations and ensure that authentication methods, such as the device code flow, are enabled only where they are operationally necessary.
Vendor Risk Management (VRM): If a supplier or partner is compromised in this way, it poses a direct risk to your own supply chain. Attackers could use the compromised account to launch BEC (Business Email Compromise) attacks against your company. Continuous VRM assesses the security posture of critical third-party providers and helps identify and address such risks early on.
LocateRisk offers a platform developed and hosted in Germany that helps companies meet their GDPR requirements and maintain digital sovereignty.
Continuous monitoring of your external IT systems is the foundation of proactive cyber defense. LocateRisk identifies exposed services and misconfigurations before attackers can exploit them.
Device code phishing is an attack technique that exploits a legitimate OAuth 2.0 authentication method. Attackers trick users into entering a code on their own secure device that authorizes the attacker’s device. This allows the attacker to obtain OAuth access tokens for the victim’s account without knowing the victim’s password.
No, traditional MFA methods such as SMS codes or app notifications do not provide effective protection. Since the user confirms the login themselves on a device that has already been authenticated, the MFA prompt is successfully completed. Only phishing-resistant methods, such as FIDO2 security keys or passkeys, offer reliable protection.
No, there is no software patch for the OAuth device code flow exploit, as it involves an exploit of the protocol design. The effective countermeasure is to administratively disable or restrict this sign-in feature using Conditional Access Policies in Microsoft Entra ID.
Ghost Code Phishing uses AES-GCM encryption for phishing landing pages, which are only decrypted in the victim's browser. The key is transmitted as a URL fragment and never reaches the server. As a result, email gateways and sandboxes cannot analyze the malicious content, which drastically reduces the detection rate of conventional security solutions.
Request your personal Live-Demo now
Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.
Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!
We use cookies to optimize our website and our service.
Functional
Always active
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Marketing
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.