Microsoft Defender Security Research has identified a sophisticated phishing campaign utilizing Device Code Authentication to compromise organizational accounts. This approach, enhanced by automation and dynamic code generation, effectively bypasses traditional security measures, including the 15-minute expiration of device codes. The campaign leverages EvilToken, a Phishing-as-a-Service toolkit, distinguishing itself with AI-driven infrastructure for enhanced automation.
Threat actors employed dynamic device code generation linked to user interactions, increasing success rates. Hyper-personalized phishing emails, created using generative AI, targeted specific roles within organizations, promoting high user engagement. Post-compromise activities included creating malicious inbox rules for continued access and data exfiltration.
To combat these attacks, Microsoft recommends implementing multi-factor authentication, educating users on phishing techniques, and configuring anti-phishing policies. Organizations are urged to block unnecessary device code flows while encouraging centralized identity management to enhance their security posture against credential theft attempts. Regular monitoring and incident response practices are vital for maintaining security integrity.
Source link
