Meta News

The perpetrators are refining their phishing tactics with SquarePhish2 and Graphish to infiltrate Microsoft and Microsoft 365 (M365) accounts. These campaigns exploit the OAuth 2.0 device authorization flow, originally designed for devices without a keyboard but repurposed as an illegal access path to corporate data. Tools used: SquarePhish2 and Graphish. Both frameworks enable attackers to industrialize their campaigns, reducing the need for proprietary infrastructure and increasing the effectiveness of deception. The attack flow involves generating a device_code and user_code with SquarePhish2 or Graphish, contacting the victim via email or phone to trick them into entering these codes at microsoft.com/devicelogin, authenticating through Multi-Factor Authentication (MFA), while the attacker queries Microsoft’s token endpoint with their device_code. Microsoft issues OAuth tokens directly to the attacker bypassing MFA. The outcome is complete access to Microsoft 365 without stolen credentials, making detection challenging. SOC teams struggle due to legitimate-looking authentication in secure domains, encrypted traffic, and successful MFA completion that reinforces legitimacy. Detection requires visibility into OAuth token issuance events and behavioral monitoring beyond traditional Indicators of Compromise (IOCs). Key risks include persistent access via refresh tokens, data theft from SaaS applications like Salesforce, Slack, Dropbox, SAP, etc., and difficulty in detection as the attack blends with legitimate Microsoft processes.