TechHorizon Consulting

Hackers Exploit OAuth 2.0 to Hijack Microsoft 365 Accounts — What SMBs Need to Know

Apr 29, 2025By Eli Junco

EJ

In today's digital landscape, attackers are no longer just stealing passwords—they're exploiting trusted authentication processes themselves. A recent campaign has highlighted how even familiar login workflows can be manipulated into dangerous backdoors, posing significant risks for small and mid-sized businesses (SMBs) that heavily rely on Microsoft 365.

The Attack: Leveraging OAuth 2.0 for Unauthorized Access


Researchers at Volexity have detailed how Russian-aligned threat groups are abusing OAuth 2.0 authentication flows to compromise Microsoft 365 accounts. While the campaign initially targeted organizations linked to Ukraine and human rights efforts, the tactics employed can easily be repurposed against SMBs across various industries.

The attack begins with a seemingly innocuous outreach. Victims are contacted through messaging apps like WhatsApp or Signal by individuals impersonating European officials or Ukrainian diplomats. The pretext is an invitation to a private video meeting. As the conversation progresses, the victim is sent a link—purportedly necessary to join the call—that prompts them to log into their Microsoft account.

Instead of stealing passwords outright, the attackers request an OAuth authorization code. This code, valid for up to 60 days, grants extensive access to the victim’s Microsoft 365 account—including email, files, and potentially sensitive business data—without ever needing their credentials.

The Broader Implications for SMBs


This method echoes adversary-in-the-middle (AiTM) attacks, where attackers steal session tokens to bypass authentication. However, in this case, the attackers are exploiting legitimate OAuth flows directly, making detection even more challenging.

In some instances, the attackers went further by registering a new device on the victim’s Microsoft Entra ID (formerly Azure Active Directory) after obtaining the code. To complete the compromise, they social-engineered the victim into approving a two-factor authentication (2FA) request, claiming it was necessary to join a SharePoint site tied to the fake conference.

The sophistication of this attack is alarming—it operates within the boundaries of trusted applications and processes, making it harder to detect and prevent. For SMBs, the implications are serious. Microsoft 365 often serves as the operational core for many companies, and a compromised account could lead to stolen data, financial fraud, reputational harm, and even regulatory issues. Moreover, many smaller organizations lack dedicated security teams to monitor every login or OAuth grant event, making these attacks even more insidious.

Smartphone risk alert

Understanding the Mechanics: OAuth 2.0 and Device Code Phishing


OAuth 2.0 is widely adopted for delegated authorization, allowing users to grant third-party applications access to their data without sharing passwords. The protocol enables single sign-on (SSO), letting users access multiple services using their Microsoft 365 credentials.

Attackers exploit this by creating malicious applications that request excessive permissions. In device code phishing attacks, victims are tricked into visiting a legitimate Microsoft URL and entering a code provided by the attacker. Once entered, the attacker gains access tokens, allowing them to impersonate the user and access their data.

These tokens can be valid for extended periods, and unless explicitly revoked, they provide persistent access to the victim's account, even if the password is changed.

Mitigation Strategies for SMBs


Protecting against such sophisticated attacks requires a multi-faceted approach:

  • Educate Employees: Regularly train staff to recognize phishing attempts, especially those involving unexpected authentication requests or unfamiliar applications.
  • Implement Conditional Access Policies: Use Microsoft's Conditional Access to restrict access based on user location, device compliance, and risk levels.
  • Monitor OAuth Activity: Regularly review and audit OAuth consents and connected applications within your Microsoft 365 environment.
  • Restrict User Consent: Configure settings to prevent users from consenting to applications without administrative approval.
  • Utilize Phishing-Resistant MFA: Adopt multi-factor authentication methods that are resistant to phishing, such as FIDO2 security keys.
  • Disable Unused Authentication Flows: If device code authentication is not required, consider disabling it to reduce the attack surface.
  • Regularly Review Access Logs: Monitor for unusual sign-in activities, such as logins from unfamiliar locations or devices.
List of banking and credit card application notifications on a smartphone

Final Thoughts


OAuth 2.0, while powerful and convenient, introduces new avenues for attackers to exploit. For SMBs, it's crucial to recognize that these sophisticated attacks are not limited to large enterprises. By understanding the risks and implementing robust security measures, SMBs can better protect their digital assets and maintain the trust of their clients and partners.

If you're uncertain about your organization's current security posture or need assistance in implementing these recommendations, consider consulting with TechHorizon Consulting who can provide tailored solutions to safeguard your business.