This article discusses phishing campaigns by a Russian threat actor that exploit OAuth and Device Code authentication, using fake websites for international security events to trick users into revealing their credentials. The campaigns target organizations involved in events like the Belgrade Security Conference and the Brussels Indo-Pacific Dialogue, employing tactics such as rapport-building and messaging app support to enhance success.

This article examines how Device Code Phishing exploits the OAuth 2.0 authentication process used by Microsoft and Google. It details the mechanics of the attack, illustrating how attackers can trick users into providing access tokens through a seemingly legitimate flow. The comparison highlights the different security postures of the two identity providers.

This article discusses TokenFlare, a serverless framework for simulating phishing attacks on Entra ID and M365. It allows users to configure OAuth flows, deploy either locally or to Cloudflare, and includes built-in operational security features. The setup requires Python and Node.js, and it emphasizes authorized testing only.

A new phishing method called 'CoPhish' exploits Microsoft Copilot Studio agents to issue fraudulent OAuth consent requests, allowing attackers to steal session tokens through social engineering tactics. Researchers from Datadog Security Labs have highlighted the risks associated with Copilot Studio's flexibility and noted that Microsoft plans to address these vulnerabilities in future updates. Users are advised to limit administrative privileges and enforce stricter governance policies to mitigate the risks.