{"id":9154,"date":"2026-07-08T14:45:06","date_gmt":"2026-07-08T14:45:06","guid":{"rendered":"https:\/\/locaterisk.com\/de\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/"},"modified":"2026-07-08T15:28:51","modified_gmt":"2026-07-08T15:28:51","slug":"microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch","status":"publish","type":"post","link":"https:\/\/locaterisk.com\/en\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/","title":{"rendered":"Microsoft 365: Phishing Campaign Bypasses MFA by Exploiting the OAuth Protocol"},"content":{"rendered":"<div class=\"wp-block-lr-blog-article-header-module\">\r\n    <div class=\"content\">\r\n\t\t<div class=\"headline\">\r\n\t\t\t<button class=\"to-blog-button\">Back to Blog                <a href=\"https:\/\/locaterisk.com\/en\/blog\/\"><\/a>\r\n\t\t\t<\/button>\r\n\t\t\t\t\t<\/div>\r\n        <div class=\"main-content\">\r\n\t\t\t\t\t\t<!--\r\n            <div class=\"header\">\r\n                <h6> <\/h6>\r\n            <\/div>\r\n\t\t\t\t\t\t-->\r\n            <h1 class=\"title\">Microsoft 365: Phishing Campaign Bypasses MFA by Exploiting the OAuth Protocol<\/h1>\r\n            <p class=\"paragraph\"><br><span class=\"lr-ai-disclosure\" style=\"display:block;margin:8px 0 28px;font-size:14px;line-height:1.4;color:#8b93a7;font-family:inherit;font-style:italic;\">This text was generated using artificial intelligence (AI).<\/span><strong>Update July 8, 2026:<\/strong> In addition, an advanced variant of the attack has been identified that uses AES-GCM-encrypted HTML landing pages and is decrypted exclusively within the victim\u2019s browser (\u201eGhost Code\u201c technique). This method makes detection by security solutions significantly more difficult. See below for details.<br><br>A phishing campaign that specifically targets Microsoft 365 accounts has been observed since at least April 2026. Cisco Talos published a comprehensive analysis of this campaign on June 30, 2026. Attackers are exploiting a legitimate feature\u2014the <strong>OAuth 2.0 Device Authorization Grant Flow<\/strong> \u2013 to bypass multi-factor authentication (MFA) and gain access to corporate data. The campaign uses the Phishing-as-a-Service (PhaaS) kit <strong>ARToken<\/strong>, which, according to Cisco Talos, is an affiliate or customer of the <strong>EvilTokens<\/strong>-platform and shares its infrastructure and API contracts.<\/p>\r\n        <\/div>\r\n    <\/div>\r\n<\/div>\r\n\r\n\r\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"400\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/initial-access-vector.png\" alt=\"Microsoft 365: Phishing-Kampagne umgeht MFA durch OAuth-Protokoll-Missbrauch\" class=\"wp-image-9141\" srcset=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/initial-access-vector.png 400w, https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/initial-access-vector-300x300.png 300w, https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/initial-access-vector-150x150.png 150w, https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/initial-access-vector-12x12.png 12w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/figure><\/div>\n\n\n<p><strong>The Facts at a Glance:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Attack method:<\/strong> Microsoft 365 device code phishing via the OAuth 2.0 flow; new variant with AES-GCM-encrypted landing pages.<\/li>\n\n\n\n<li><strong>Tooling:<\/strong> ARToken PhaaS Panel shares infrastructure and operational patterns with EvilTokens; another related kit: Kali365.<\/li>\n\n\n\n<li><strong>Target:<\/strong> Takeover of Microsoft 365 accounts through the theft of OAuth access and refresh tokens.<\/li>\n\n\n\n<li><strong>Persistence:<\/strong> According to Cisco Talos, stolen OAuth refresh tokens remain valid even after the victim changes their password, unless they are explicitly revoked.<\/li>\n\n\n\n<li><strong>New Technology:<\/strong> \u201eGhost Code\u201c phishing, which uses browser-based decryption, makes detection by email gateways and sandboxes more difficult.<\/li>\n\n\n\n<li><strong>Protection:<\/strong> Standard MFA is ineffective. Only phishing-resistant MFA (FIDO2) and blocking the device code flow provide protection.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>How the Attack on Microsoft 365 Accounts Unfolded<\/strong><\/h2>\n\n\n\n<p>The attack exploits a sign-in feature designed for devices without a browser or with limited input capabilities, such as smart TVs or IoT devices. Instead of entering sign-in credentials directly, the device displays a code. The user enters this code on a second, already authenticated device on a legitimate Microsoft sign-in page, thereby authorizing the new device.<\/p>\n\n\n\n<p>The attack chain begins with a phishing email that tricks the victim into clicking a link under the pretense of verifying an invoice. This link leads to a page that triggers a legitimate Microsoft login request in the background. The victim is shown an authentic-looking Microsoft page displaying a device code. If the user enters this code, they unwittingly authorize the attacker\u2019s session. The attacker then receives an access token and a refresh token, granting them access to email, OneDrive, and SharePoint.<\/p>\n\n\n\n<p>The particular danger lies in the persistence of the stolen <strong>OAuth Refresh Tokens<\/strong>: According to Cisco Talos, they remain valid even after the affected user changes their password. In addition, ARToken uses what is known as \u201ebroker mode\u201c to achieve PRT-like persistence via the Microsoft Authentication Broker. Only an explicit revocation of the tokens via Microsoft Entra ID terminates the attacker\u2019s access.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Ghost Phishing: Concealment Through Browser-Side Decryption<\/strong><\/h2>\n\n\n\n<p>The newly observed attack variant relies on an advanced obfuscation technique known as \u201eGhost Code\u201c phishing. In this technique, the phishing landing pages are delivered encrypted with AES-GCM. The decryption key is embedded as a fragment identifier (according to the <strong>#<\/strong>(character) in the URL and never reaches the server. Decryption takes place exclusively in the victim's browser using client-side JavaScript.<\/p>\n\n\n\n<p>This method offers attackers several advantages: Email security gateways and sandboxes cannot analyze the encrypted content because they do not have access to the URL fragment. Even if security solutions inspect the landing page, the actual phishing content remains hidden. Only when a real user clicks the full link in the email does the deceptively authentic Microsoft sign-in page with the device code become visible.<\/p>\n\n\n\n<p>This technology significantly increases the campaign's success rate, as traditional URL reputation systems and content filters are ineffective. For security teams, this means that preventive controls such as email filtering and link scanning alone are not enough.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>ARToken and EvilTokens: The PhaaS Ecosystem<\/strong><\/h2>\n\n\n\n<p>Behind the campaign is the ARToken panel, which is marketed as Phishing-as-a-Service (PhaaS). As Cisco Talos reported in late June 2026, ARToken shares infrastructure, API contracts, and operational patterns with the EvilTokens platform and is classified as its affiliate or customer. In addition to ARToken, Kali365 is another known PhaaS kit that exploits the same vulnerability in the Microsoft Device Authorization Flow. These kits significantly lower the barrier to entry for attackers by providing a professional infrastructure for carrying out phishing attacks and managing compromised accounts.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Recommended Precautions<\/strong><\/h2>\n\n\n\n<p>Since this involves the misuse of a protocol design, there is no traditional software patch. Protection requires a combination of technical controls and awareness-raising.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Immediate measures:<\/strong> Instruct employees never to enter device codes they have received via unsolicited emails. If a compromise is suspected, administrators must immediately revoke all refresh tokens for the affected user using the <strong>revokeSignInSessions<\/strong> Revoke in Microsoft Entra ID.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Short-term measures:<\/strong> Provide targeted training for employees on the risks of device code phishing and the new \"ghost code\" variant. Monitor Azure logs for suspicious OAuth token activity, unauthorized device code authentications, and unexpected PRT registrations. Audit existing inbox rules and OAuth consents. Implement behavior-based anomaly detection, as signature-based systems cannot detect encrypted phishing pages.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Long-term curing:<\/strong> The most effective protection is to disable the device code authentication flow using Conditional Access Policies in Microsoft Entra ID. This feature should be blocked for standard users and allowed only for explicitly documented and monitored service accounts (e.g., for IoT use cases). Implement phishing-resistant MFA such as FIDO2 or passkeys, as traditional MFA methods are bypassed in this attack.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Relevance for Companies in Germany, Austria, and Switzerland<\/strong><\/h2>\n\n\n\n<p>For companies in Germany, Austria, and Switzerland, the following applies: If personal data is accessed or compromised as a result of a successful account takeover, there is an obligation under Article 33 of the GDPR to report the incident to the competent data protection authority within 72 hours of becoming aware of it. As a central communication and collaboration platform, Microsoft 365 is also relevant in the context of NIS-2: Operators of essential and important facilities are required to demonstrate that they have implemented appropriate technical measures to secure authentication procedures and to report security incidents. Organizations should verify whether their authentication configuration complies with the requirements of these regulations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Classification by LocateRisk<\/strong><\/h2>\n\n\n\n<p>The attack described highlights the need for comprehensive visibility into one's own IT infrastructure and the associated risks.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>External Attack Surface Management (EASM):<\/strong> Microsoft 365 is an externally accessible service that forms part of a company\u2019s attack surface. An EASM platform such as LocateRisk continuously inventories all external assets, including the Microsoft services associated with your organization. This provides the necessary visibility to review configurations and ensure that authentication methods, such as the device code flow, are enabled only where they are operationally necessary.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Vendor Risk Management (VRM):<\/strong> If a supplier or partner is compromised in this way, it poses a direct risk to your own supply chain. Attackers could use the compromised account to launch BEC (Business Email Compromise) attacks against your company. Continuous VRM assesses the security posture of critical third-party providers and helps identify and address such risks early on.<\/li>\n<\/ul>\n\n\n\n<p>LocateRisk offers a platform developed and hosted in Germany that helps companies meet their GDPR requirements and maintain digital sovereignty.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Sources and further information<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cisco Talos (Primary Analysis):<\/strong> <a href=\"https:\/\/blog.talosintelligence.com\/artoken-inside-an-eviltokens-affiliate-panel-targeting-microsoft-365\/\" target=\"_blank\" rel=\"noreferrer noopener\">ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365<\/a><\/li>\n\n\n\n<li><strong>Cisco Talos (IOCs):<\/strong> <a href=\"https:\/\/github.com\/Cisco-Talos\/IOCs\/blob\/main\/2026\/07\/artoken-inside-an-eviltokens-affiliate-panel-targeting-microsoft-365.json\" target=\"_blank\" rel=\"noreferrer noopener\">Indicators of Compromise on GitHub<\/a><\/li>\n\n\n\n<li><strong>Microsoft Security Blog (Context):<\/strong> <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/02\/13\/storm-2372-conducts-device-code-phishing-campaign\/\" target=\"_blank\" rel=\"noreferrer noopener\">Storm-2372 Carries Out a Device Code Phishing Campaign (Feb 2025)<\/a><\/li>\n\n\n\n<li><strong>Proofpoint (Context):<\/strong> <a href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/device-code-phishing-evolution-identity-takeover\" target=\"_blank\" rel=\"noreferrer noopener\">The Evolution of Device-Based Phishing and Identity Takeover<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Do you know your external attack surface?<\/strong><\/h2>\n\n\n\n<p>Continuous monitoring of your external IT systems is the foundation of proactive cyber defense. LocateRisk identifies exposed services and misconfigurations before attackers can exploit them.<\/p>\n\n\n\n<p><a href=\"https:\/\/locaterisk.com\/en\/demo\/\" target=\"_blank\" rel=\"noreferrer noopener\">Request a free safety check<\/a><\/p>\n\n\n\n<div class=\"wp-block-lr-faq-module\"><div class=\"content\"><h3><strong>Frequently asked questions<\/strong><\/h3><div class=\"faq-topic\"><hr\/><div class=\"collapsible-title\"><a class=\"pr-4\"><strong>What is device code phishing?<\/strong><\/a><img class=\"collapse-toggle\" srcset=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@3x.png 3x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@2x.png 2x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus.png 1x\"\/><\/div><div class=\"collapsible-content\"><p class=\"font-normal\">Device code phishing is an attack technique that exploits a legitimate OAuth 2.0 authentication method. Attackers trick users into entering a code on their own secure device that authorizes the attacker\u2019s device. This allows the attacker to obtain OAuth access tokens for the victim\u2019s account without knowing the victim\u2019s password.<\/p><\/div><\/div><div class=\"faq-topic\"><hr\/><div class=\"collapsible-title\"><a class=\"pr-4\"><strong>Does standard multi-factor authentication (MFA) protect against this attack?<\/strong><\/a><img class=\"collapse-toggle\" srcset=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@3x.png 3x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@2x.png 2x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus.png 1x\"\/><\/div><div class=\"collapsible-content\"><p class=\"font-normal\">No, traditional MFA methods such as SMS codes or app notifications do not provide effective protection. Since the user confirms the login themselves on a device that has already been authenticated, the MFA prompt is successfully completed. Only phishing-resistant methods, such as FIDO2 security keys or passkeys, offer reliable protection.<\/p><\/div><\/div><div class=\"faq-topic\"><hr\/><div class=\"collapsible-title\"><a class=\"pr-4\"><strong>Is there a patch for this security issue?<\/strong><\/a><img class=\"collapse-toggle\" srcset=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@3x.png 3x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@2x.png 2x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus.png 1x\"\/><\/div><div class=\"collapsible-content\"><p class=\"font-normal\">No, there is no software patch for the OAuth device code flow exploit, as it involves an exploit of the protocol design. The effective countermeasure is to administratively disable or restrict this sign-in feature using Conditional Access Policies in Microsoft Entra ID.<\/p><\/div><\/div><div class=\"faq-topic\"><hr\/><div class=\"collapsible-title\"><a class=\"pr-4\"><strong>What is ghost code phishing, and why is it harder to detect?<\/strong><\/a><img class=\"collapse-toggle\" srcset=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@3x.png 3x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@2x.png 2x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus.png 1x\"\/><\/div><div class=\"collapsible-content\"><p class=\"font-normal\">Ghost Code Phishing uses AES-GCM encryption for phishing landing pages, which are only decrypted in the victim's browser. The key is transmitted as a URL fragment and never reaches the server. As a result, email gateways and sandboxes cannot analyze the malicious content, which drastically reduces the detection rate of conventional security solutions.<\/p><\/div><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-lr-contact-post-module\">\n\t<div id=\"lr-contact-form\" class=\"wp-block-lr-contact-post-module\">\n\t\t<div id=\"formular\" class=\"content\">\n\t\t\t<div class=\"inner-content\">\n\t\t\t\t<div class=\"column-2 feature-mode\">\n\t\t\t\t\t<h2><br>Request your personal Live-Demo now<\/h2>\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\t<div>\n\t\t\t\t\t\t\t\t<p class=\"margin-b-36\">Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.<\/p>\n\t\t\t\t\t\t\t<\/div>\t\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div> \n\t\t\t\t<div class=\"column-2\">\n\t\t\t\t\t<form action=\"\" class=\"form\" method=\"post\" role=\"form\" novalidate data-trp-original-action=\"\">\n\t\t\t\t\t\t<input type=\"text\" id=\"successmessage\" name=\"successmessage\" value=\"Ihre Registrierung war erfolgreich Ihre Anfrage wurde erfolgreich versendet. Wir haben Ihnen soeben eine Best\u00e4tigungsmail mit einem Aktivierungs-Link zugesendet, um einem Missbrauch Ihrer E-Mail Adresse durch Dritte vorzubeugen. Die Mail wird von sales@locaterisk.com versendet und sollte sich i n wenigen Minuten in Ihrem Posteingang finden.\" hidden>\n\t\t\t\t\t\t<input type=\"text\" id=\"errormessage\" name=\"errormessage\" value=\"Da ist wohl etwas schief gelaufen. Bitte probieren Sie es erneut oder nehmen Sie direkt mit uns Kontakt auf\" hidden>\n\t\t\t\t\t\t<input type=\"text\" id=\"slug\" name=\"slug\" value=\"microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\" hidden>\n\n\t\t\t\t\t\t\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\t\tid=\"name\"\n\t\t\t\t\t\t\t\tname=\"name\"\n\t\t\t\t\t\t\t\tplaceholder=\"first name\"\n\t\t\t\t\t\t\t\trequired\tmaxlength=\"50\"\/>\n\n\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\t\tid=\"surname\"\n\t\t\t\t\t\t\t\tname=\"surname\"\n\t\t\t\t\t\t\t\tplaceholder=\"last name\"\n\t\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\t\t\t\t\t\t\n\t\t\t\t\t\t<input\n\t\t\t\t\t\t\ttype=\"email\"\n\t\t\t\t\t\t\tid=\"email\"\n\t\t\t\t\t\t\tname=\"email\"\n\t\t\t\t\t\t\tplaceholder=\"Email\"\n\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\n\t\t\t\t\t\t<input\n\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\tid=\"phone\"\n\t\t\t\t\t\t\tname=\"phone\"\n\t\t\t\t\t\t\tplaceholder=\"phone\"\n\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t<h6 class=\"error-message\" hidden>...<\/h6>\n\t\t\t\t\t\t<div class=\"checkbox_container\">\n\t\t\t\t\t\t\t<div class=\"checkbox\">\n\t\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\t\ttype=\"checkbox\"\n\t\t\t\t\t\t\t\t\tid=\"checkbox\"\n\t\t\t\t\t\t\t\t\tname=\"checkbox\" \/>\n\n\t\t\t\t\t\t\t\t<label for=\"checkbox\"><\/label>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<p class=\"translation-block\">I agree with the <a href=\"https:\/\/locaterisk.com\/en\/datenschutz\/\" target=\"_self\">privacy policy<\/a>.<\/p> \n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\n\t\t\t\t\t<div class=\"g-recaptcha\" data-sitekey=\"6LdErNoZAAAAAD1Re2jNxtDFfcDaL9iED5MRBzjR\" data-callback=\"verifyRecaptchaCallback\" data-expired-callback=\"expiredRecaptchaCallback\"><\/div>\n\t\t\t\t\t<input type=\"hidden\" name=\"g-recaptcha-response\" data-recaptcha \/>\n\n\t\t\t\t\t\t<button class=\"lr-button-link\" type=\"submit\"> Request a Demo<\/button>\n\t\t\t\t\t<input type=\"hidden\" name=\"trp-form-language\" value=\"en\"\/><\/form>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\t\n\t<\/div>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<div class=\"wp-block-lr-contact-module\"><div class=\"content\"><h2>Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!<\/h2><div class=\"contact-info-row\"><div class=\"contact-person-info\"><div class=\"avatar\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2025\/06\/Lukas_Baumann_LocateRisk-300.png\"><\/div><p><span class=\"text before\">Your personal consultant<\/span><span class=\"bold name\"><strong>Lukas<\/strong><\/span> <span class=\"lastname\"><strong>Baumann<strong><\/strong><\/strong><\/span><strong><strong><span class=\"separator\"><\/span><span class=\"role\">CEO<\/span><\/strong><\/strong><\/p><\/div><p class=\"bold phone\"><strong><strong>+49 6151 6290246<\/strong><\/strong><\/p><strong><strong><a class=\"pr-1\" href=\"mailto: sales@locaterisk.com\">Get in Touch Now<\/a><\/strong><\/strong><\/div><\/div><\/div>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<div class=\"wp-block-lr-footer-module lr-footer-block\"><div class=\"content\"><div class=\"column0\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/assets\/img\/lr-logo.svg\"\/><\/div><div class=\"categories\"><div class=\"categories-element\"><a class=\"pr-4\" href=\"https:\/\/locaterisk.com\/en\/\">Home<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/blog\/\">Blog<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/about\/\">About Us<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/kontakt\/\">Contact<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/impressum\/\">Legal Notice<\/a><\/div><div class=\"categories-break\"><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/datenschutz\/\">Privacy<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/files\/gtc.pdf\">General Terms and Conditions<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/jobs\/\">Jobs<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"https:\/\/app.secfix.com\/trust\/locaterisk\/d1e7d433b33643aea1880bfbfeab9f60\">Trust Center<\/a><\/div><\/div><div class=\"social\"><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/locaterisk\/\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/10\/gruppe-230@3x.png\"\/><\/a><\/div><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/locaterisk\/\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Instagram.png\"\/><\/a><\/div><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/locaterisk\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/twitter.png\"\/><\/a><\/div><\/div><div class=\"description\"><h6>\u00a9 LocateRisk 2026<\/h6><\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>Phishing campaigns exploit the Microsoft 365 OAuth device code flow to take over accounts. The ARToken Kit and a Ghost phishing variant bypass standard MFA. Analysis and protective measures.<\/p>","protected":false},"author":13,"featured_media":9141,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-9154","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Microsoft 365 Device-Code-Phishing umgeht MFA | LocateRisk Analyse<\/title>\n<meta name=\"description\" content=\"Phishing-Kampagnen missbrauchen den OAuth Device-Code-Flow von Microsoft 365 zur Konto\u00fcbernahme. ARToken-Kit und Ghost-Phishing-Variante umgehen Standard-MFA. Analyse und Schutzma\u00dfnahmen.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/locaterisk.com\/en\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft 365 Device-Code-Phishing umgeht MFA | LocateRisk Analyse\" \/>\n<meta property=\"og:description\" content=\"Phishing-Kampagnen missbrauchen den OAuth Device-Code-Flow von Microsoft 365 zur Konto\u00fcbernahme. ARToken-Kit und Ghost-Phishing-Variante umgehen Standard-MFA. Analyse und Schutzma\u00dfnahmen.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/locaterisk.com\/en\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/\" \/>\n<meta property=\"og:site_name\" content=\"LocateRisk\" \/>\n<meta property=\"article:published_time\" content=\"2026-07-08T14:45:06+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-07-08T15:28:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-14345-featured.png\" \/>\n\t<meta property=\"og:image:width\" content=\"400\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kristina Hoinkis\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kristina Hoinkis\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\\\/\"},\"author\":{\"name\":\"Kristina Hoinkis\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/person\\\/68f3857c15afa8ff59c545848dddcc32\"},\"headline\":\"Microsoft 365: Phishing-Kampagne umgeht MFA durch OAuth-Protokoll-Missbrauch\",\"datePublished\":\"2026-07-08T14:45:06+00:00\",\"dateModified\":\"2026-07-08T15:28:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\\\/\"},\"wordCount\":1484,\"publisher\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/initial-access-vector.png\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\\\/\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\\\/\",\"name\":\"Microsoft 365 Device-Code-Phishing umgeht MFA | LocateRisk Analyse\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/initial-access-vector.png\",\"datePublished\":\"2026-07-08T14:45:06+00:00\",\"dateModified\":\"2026-07-08T15:28:51+00:00\",\"description\":\"Phishing-Kampagnen missbrauchen den OAuth Device-Code-Flow von Microsoft 365 zur Konto\u00fcbernahme. ARToken-Kit und Ghost-Phishing-Variante umgehen Standard-MFA. Analyse und Schutzma\u00dfnahmen.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/locaterisk.com\\\/de\\\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\\\/#primaryimage\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/initial-access-vector.png\",\"contentUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/initial-access-vector.png\",\"width\":400,\"height\":400,\"caption\":\"initial-access-vector\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/locaterisk.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft 365: Phishing-Kampagne umgeht MFA durch OAuth-Protokoll-Missbrauch\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/\",\"name\":\"LocateRisk\",\"description\":\"IT-Sicherheit messen und vergleichen\",\"publisher\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\",\"name\":\"LocateRisk\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2020\\\/11\\\/Kettenglieder_V0216-9.jpg\",\"contentUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2020\\\/11\\\/Kettenglieder_V0216-9.jpg\",\"width\":1920,\"height\":1080,\"caption\":\"LocateRisk\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.linkedin.com\\\/company\\\/locaterisk\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/person\\\/68f3857c15afa8ff59c545848dddcc32\",\"name\":\"Kristina Hoinkis\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g\",\"caption\":\"Kristina Hoinkis\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft 365 Device-Code-Phishing umgeht MFA | LocateRisk Analyse","description":"Phishing campaigns exploit the Microsoft 365 OAuth device code flow to take over accounts. The ARToken Kit and a Ghost phishing variant bypass standard MFA. Analysis and protective measures.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/locaterisk.com\/en\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft 365 Device-Code-Phishing umgeht MFA | LocateRisk Analyse","og_description":"Phishing-Kampagnen missbrauchen den OAuth Device-Code-Flow von Microsoft 365 zur Konto\u00fcbernahme. ARToken-Kit und Ghost-Phishing-Variante umgehen Standard-MFA. Analyse und Schutzma\u00dfnahmen.","og_url":"https:\/\/locaterisk.com\/en\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/","og_site_name":"LocateRisk","article_published_time":"2026-07-08T14:45:06+00:00","article_modified_time":"2026-07-08T15:28:51+00:00","og_image":[{"width":400,"height":400,"url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-14345-featured.png","type":"image\/png"}],"author":"Kristina Hoinkis","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Kristina Hoinkis","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/locaterisk.com\/de\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/#article","isPartOf":{"@id":"https:\/\/locaterisk.com\/de\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/"},"author":{"name":"Kristina Hoinkis","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/person\/68f3857c15afa8ff59c545848dddcc32"},"headline":"Microsoft 365: Phishing-Kampagne umgeht MFA durch OAuth-Protokoll-Missbrauch","datePublished":"2026-07-08T14:45:06+00:00","dateModified":"2026-07-08T15:28:51+00:00","mainEntityOfPage":{"@id":"https:\/\/locaterisk.com\/de\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/"},"wordCount":1484,"publisher":{"@id":"https:\/\/locaterisk.com\/de\/#organization"},"image":{"@id":"https:\/\/locaterisk.com\/de\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/#primaryimage"},"thumbnailUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/initial-access-vector.png","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/locaterisk.com\/de\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/","url":"https:\/\/locaterisk.com\/de\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/","name":"Microsoft 365 Device-Code-Phishing umgeht MFA | LocateRisk Analyse","isPartOf":{"@id":"https:\/\/locaterisk.com\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/locaterisk.com\/de\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/#primaryimage"},"image":{"@id":"https:\/\/locaterisk.com\/de\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/#primaryimage"},"thumbnailUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/initial-access-vector.png","datePublished":"2026-07-08T14:45:06+00:00","dateModified":"2026-07-08T15:28:51+00:00","description":"Phishing campaigns exploit the Microsoft 365 OAuth device code flow to take over accounts. The ARToken Kit and a Ghost phishing variant bypass standard MFA. Analysis and protective measures.","breadcrumb":{"@id":"https:\/\/locaterisk.com\/de\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/locaterisk.com\/de\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/locaterisk.com\/de\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/#primaryimage","url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/initial-access-vector.png","contentUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/initial-access-vector.png","width":400,"height":400,"caption":"initial-access-vector"},{"@type":"BreadcrumbList","@id":"https:\/\/locaterisk.com\/de\/microsoft-365-phishing-kampagne-umgeht-mfa-durch-oauth-protokoll-missbrauch\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/locaterisk.com\/"},{"@type":"ListItem","position":2,"name":"Microsoft 365: Phishing-Kampagne umgeht MFA durch OAuth-Protokoll-Missbrauch"}]},{"@type":"WebSite","@id":"https:\/\/locaterisk.com\/de\/#website","url":"https:\/\/locaterisk.com\/de\/","name":"LocateRisk","description":"Measure and compare IT security","publisher":{"@id":"https:\/\/locaterisk.com\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/locaterisk.com\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/locaterisk.com\/de\/#organization","name":"LocateRisk","url":"https:\/\/locaterisk.com\/de\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/logo\/image\/","url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Kettenglieder_V0216-9.jpg","contentUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Kettenglieder_V0216-9.jpg","width":1920,"height":1080,"caption":"LocateRisk"},"image":{"@id":"https:\/\/locaterisk.com\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/locaterisk\/"]},{"@type":"Person","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/person\/68f3857c15afa8ff59c545848dddcc32","name":"Kristina Hoinkis","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g","caption":"Kristina Hoinkis"}}]}},"_links":{"self":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/9154","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/comments?post=9154"}],"version-history":[{"count":1,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/9154\/revisions"}],"predecessor-version":[{"id":9155,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/9154\/revisions\/9155"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/media\/9141"}],"wp:attachment":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/media?parent=9154"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/categories?post=9154"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/tags?post=9154"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}