OAuth Device Code Phishing: Azure vs Google Compared

OAuth device code phishing is an emerging threat targeting users of popular cloud platforms like Microsoft Azure and Google. This attack exploits the OAuth device authorization flow, tricking victims into granting malicious apps access to their accounts without realizing it. The phishing campaigns use social engineering tactics to lure users into approving device codes, which then allow attackers to bypass traditional authentication methods and gain persistent access to sensitive data. Microsoft Azure and Google have implemented OAuth device code flows to simplify login on devices with limited input capabilities. However, attackers have found ways to abuse this mechanism by creating convincing phishing pages and prompts that mimic legitimate authorization requests. These deceptive tactics have led to increased incidents of account takeovers and data breaches, highlighting the need for enhanced user awareness and stronger security controls. Security researchers have compared the phishing techniques used against Azure and Google users, noting differences in the attack vectors and mitigation strategies. While both platforms face similar threats, Google's OAuth implementation includes additional safeguards that make exploitation more challenging. Conversely, Azure's device code flow has shown vulnerabilities that attackers exploit more frequently. To combat these threats, organizations are advised to implement multi-factor authentication, monitor OAuth app permissions regularly, and educate users about the risks of unsolicited authorization requests. Security teams should also leverage advanced threat detection tools to identify and block suspicious OAuth activities promptly. This article provides an in-depth analysis of OAuth device code phishing attacks targeting Azure and Google, offering insights into the tactics, techniques, and procedures used by threat actors. It also outlines best practices for defending against these sophisticated phishing campaigns to protect cloud identities and maintain organizational security.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 03 Nov 2025 15:30:11 +0000

Cyber News related to OAuth Device Code Phishing: Azure vs Google Compared

10 Best Anti-Phishing Tools in 2025 - What is Good?What Could Be Better?Real-time email threat detection and response using AI and machine learning.Limited customer support optionsAutomates incident response to stop phishing attacks quickly.The training module is not entirely ...
3 months ago Cybersecuritynews.com

OAuth Device Code Phishing: Azure vs Google Compared - OAuth device code phishing is an emerging threat targeting users of popular cloud platforms like Microsoft Azure and Google. This attack exploits the OAuth device authorization flow, tricking victims into granting malicious apps access to their ...
1 week ago Bleepingcomputer.com

Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
1 year ago Microsoft.com

What is Azure Identity Protection and 7 Steps to a Seamless Setup - As a result, tools such as Microsoft's Azure Identity Protection have become a staple in protecting against compromised identities, account takeover, and misuse of privileges. Azure Identity Protection is a security service that provides a robust ...
1 year ago Securityboulevard.com

Attackers Target Microsoft Accounts to Weaponize OAuth Apps - Threat actors are abusing organizations' weak authentication practices to create and exploit OAuth applications, often for financial gain, in a string of attacks that include various vectors, including cryptomining, phishing, and password spraying. ...
1 year ago Darkreading.com

Five business use cases for evaluating Azure Virtual WAN security solutions - To help organizations who are evaluating security solutions to protect their Virtual WAN deployments, this article considers five business use cases and explains how Check Point enhances and complements Azure security with its best-of-breed, ...
1 year ago Blog.checkpoint.com

Microsoft Disables Verified Partner Accounts Used for OAuth Phishing - Microsoft has disabled multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations cloud environments to steal email. In a joint announcement between Microsoft and Proofpoint, ...
2 years ago Bleepingcomputer.com

Spear Phishing vs Phishing: What Are The Main Differences? - Almost half of them used phishing to obtain the passwords of users. Highly targeted phishing campaigns against specific individuals or types of individuals are known as spear phishing. It's important to be able to spot phishing in general. For ...
1 year ago Techrepublic.com

What Is OAuth 2.0? - Scope of Access: Before OAuth, the meal planning app might have access to data that the user did not actually wish to share. No Way to Revoke Access: Before OAuth, the user could not easily restrict or revoke the meal planning app's access to their ...
1 year ago Feeds.dzone.com

Microsoft: OAuth apps used to automate BEC and cryptomining attacks - Microsoft warns that financially-motivated threat actors are using OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining. OAuth is an open standard for granting apps secure delegated access to server ...
1 year ago Bleepingcomputer.com

Data thieves abuse Microsoft's 'verified publisher' status The Register - Miscreants using malicious OAuth applications abused Microsoft's "Verified publisher" status to gain access to organizations' cloud environments, then steal data and pry into to users' mailboxes, calendars, and meetings. According to researchers with ...
2 years ago Packetstormsecurity.com Lazarus Group

Attackers abuse OAuth apps to initiate large-scale cryptomining and spam campaigns - Attackers are compromising high-privilege Microsoft accounts and abusing OAuth applications to launch a variety of financially-motivated attacks. OAuth is an open standard authentication protocol that uses tokens to grant applications access to ...
1 year ago Helpnetsecurity.com Hunters

Hackers Abuse OAuth Applications to Automated Finacial Attacks - OAuth is an industry-standard protocol that allows third-party applications to access a user's data without exposing login credentials. This standard protocol facilitates secure authorization and authentication, commonly used to access resources on ...
1 year ago Cybersecuritynews.com

Money-grubbing crooks abuse OAuth apps for BEC, phishing The Register - Multiple miscreants are misusing OAuth to automate financially motivated cyber crimes - such as business email compromise, phishing, large-scale spamming campaigns - and deploying virtual machines to illicitly mine for cryptocurrencies, according to ...
1 year ago Go.theregister.com

Microsoft fixes Entra ID authentication issue caused by DNS change - "Between 17:18 UTC and 18:35 UTC on 25 February 2025, customers attempting to authenticate with Microsoft Entra ID using the Seamless SSO and Microsoft Entra Connect Sync features may have experienced DNS resolution failures when trying to access ...
8 months ago Bleepingcomputer.com

Microsoft fixes critical Azure CLI flaw that leaked credentials in logs - Microsoft has fixed a critical security vulnerability that could let attackers steal credentials from GitHub Actions or Azure DevOps logs created using Azure CLI. The vulnerability was reported by security researchers with Palo Alto's Prisma Cloud. ...
1 year ago Bleepingcomputer.com

Azure Service Tags tagged as security risk, Microsoft disagrees - Security researchers at Tenable discovered what they describe as a high-severity vulnerability in Azure Service Tag that could allow attackers to access customers' private data. Service Tags are groups of IP addresses for a specific Azure service ...
1 year ago Bleepingcomputer.com

Hackers Exploiting Google's OAuth system Flaws to Bypass Gmail Security Filters - The attack, which successfully bypasses Gmail’s security filters, appears legitimate to users as it originates from authentic Google domains and passes all standard security checks, including DKIM authentication. Nick Johnson, Ethereum Name ...
6 months ago Cybersecuritynews.com

Find hidden malicious OAuth apps in Microsoft 365 using Cazadora - Microsoft 365 environments are increasingly targeted by attackers leveraging malicious OAuth applications to gain unauthorized access and persist within organizations. These hidden OAuth apps can bypass traditional security controls, making detection ...
3 weeks ago Bleepingcomputer.com

Flipping the BEC funnel: Phishing in the age of GenAI - For years, phishing was just a numbers game: A malicious actor would slap together an extremely generic email and fire it out to thousands of recipients in the hope that a few might take the bait. Common among these new techniques was a shift towards ...
1 year ago Helpnetsecurity.com

Azure MACC Credits Gathering Dust? Use Them to Get the Best Prevention-First Security - As we enter 2024, your organization may have unused MACC or Azure commit-to-consume credits as your annual renewal date draws near. Whether you have credits that will soon expire or are starting to plan your Azure spend for the next 12 months, Check ...
1 year ago Blog.checkpoint.com

Comprehensive Cloud Monitoring Platforms: Ensuring - Platforms for comprehensive cloud monitoring come into play in this situation. In this article, we will explore the significance of comprehensive cloud monitoring platforms and delve into some leading solutions available in the market today. ...
1 year ago Feeds.dzone.com

Signing Executables With Azure DevOps - This signing tool is compatible with all major executable files and works impeccably with all OV and EV code signing certificates. It's mostly used with Azure DevOps due to the benefit of Azure Key Vault. Here, you will undergo the complete procedure ...
1 year ago Feeds.dzone.com

CVE-2025-4143 - The OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp , did not correctly validate that redirect_uri was on the allowed list of redirect URIs for the given client registration. ...
6 months ago

Azure Serial Console Attack and Defense - This is the second installment of the Azure Serial Console blog, which provides insights to improve defenders' preparedness when investigating Azure Serial Console activity on Azure Linux virtual machines. While the first blog post discussed various ...
1 year ago Msrc.microsoft.com