CybserSecurity News

Tag: Microsoft 365

  • Hackers Hijack Microsoft 365 Accounts via Legitimate Device Code Flows

    Both fraudulent actors and state-sponsored syndicates have commenced the large-scale deployment of a novel stratagem to usurp Microsoft 365 credentials. Eschewing traditional password theft, these adversaries coerce victims into voluntarily granting account access via Microsoft’s legitimate authorization protocols. The offensive utilizes a repertoire of hyperlinks, QR codes, and fraudulent notifications regarding sensitive documents, financial incentives, or security verifications.

    Analysts at Proofpoint report a precipitous surge in such campaigns since September 2025. Previously, these “device code” incursions were rare and predominantly reserved for bespoke operations; however, the methodology is now utilized by multiple collectives, including the financially motivated TA2723 and suspected Chinese cyber-espionage units.

    The assault exploits the OAuth Device Code Flow, a mechanism engineered by Microsoft to facilitate authentication on devices with limited input capabilities, such as televisions or gaming consoles. In a legitimate scenario, a user receives a specific code and inputs it into an official Microsoft portal to authorize a session. Upon confirmation, the service generates an access token.

    Adversaries have repurposed this procedure for malevolent ends. A victim receives correspondence containing a link, a call-to-action button, or a QR code, often masquerading as a notification for a corporate bonus, employee benefits, or a re-authorization mandate. Upon interaction, the user is directed to a fraudulent site that provides a code and instructions to enter it on the authentic Microsoft portal—ultimately granting the assailant dominion over the account.

    One particularly salient campaign utilized the subject line “Salary Bonus + Employer Benefits Reports 25,” promising recipients a document detailing financial incentives. The embedded link directed users to a malicious site styled as their own corporate portal. After entering their email address, the visitor was presented with a “multi-factor authentication code” and redirected to microsoft.com/devicelogin. Submitting the code effectively surrendered control of the Microsoft 365 account to the fraudsters.

    The TA2723 group executed a parallel scheme in October 2025, targeting individuals with notifications regarding an allegedly updated payroll statement. Interacting with the document trigger redirected the user to a code-generation page, and subsequently to the official Microsoft service to finalize the breach.

    To orchestrate these offensives, adversaries leverage sophisticated toolkits such as SquarePhish2 and Graphish. The former automates phishing campaigns involving QR codes and Microsoft device authorization flows, while the latter facilitates the creation of deceptive login pages and session interception via reverse proxies.

    Proofpoint expressed profound concern regarding the burgeoning activity of state-aligned groups. Since January 2025, specialists have documented numerous espionage campaigns utilizing this device-code phishing technique. One such entity, identified as UNK_AcademicFlare, has utilized compromised governmental and military mailboxes since September 2025 to target universities, think tanks, and logistics firms across the United States and Europe. Initial contact often involves benign professional discourse followed by a link to a fraudulent OneDrive service—hosted via Cloudflare Workers—where the victim is prompted to copy a code and authorize access through the official Microsoft portal.

    Following a successful incursion, adversaries secure comprehensive access to email and Microsoft 365 repositories, enabling document exfiltration, lateral movement within corporate infrastructure, and further attacks launched from the compromised identity. Proofpoint anticipates that the popularity of these schemes will continue to escalate as organizations transition toward passwordless and FIDO-based authentication. Experts recommend that organizations decisively disable the device code flow where feasible, restrict authorized device manifests, and educate personnel to never input authorization codes derived from unsolicited external communications.

  • EvilMist: The Ultimate Swiss Army Knife for Azure and Entra ID Red Teaming

    EvilMist is a collection of scripts and utilities designed to support cloud security configuration audit, cloud penetration testing & cloud red teaming. The toolkit helps identify misconfigurations, assess privilege-escalation paths, and simulate attack techniques. EvilMist aims to streamline cloud-focused red-team workflows and improve the overall security posture of cloud infrastructures

    Tools

    Unauthenticated Entra ID Enumeration

    Unauthenticated Azure/Entra ID enumeration and reconnaissance tool. Performs passive/semi-passive enumeration using publicly accessible APIs and DNS queries without requiring any authentication tokens.

    Key Features:

    • No Authentication Required – Works without Azure tokens or credentials
    • Tenant Discovery – Retrieve tenant ID, name, region via azmap.dev and OpenID config
    • Domain Realm Analysis – Identify Managed vs Federated authentication
    • User Existence Checking – Verify email addresses via GetCredentialType API
    • DNS Reconnaissance – Enumerate MX, SPF, TXT, CNAME, SRV, Autodiscover records
    • Port Scanning – Check common Azure ports (HTTPS, LDAP, Kerberos, RDP)
    • Stealth Mode – Configurable delays and jitter to avoid rate limiting
    • Export Options – JSON and CSV export formats

    Enumerate-EntraUsers

    Comprehensive Azure Entra ID (Azure AD) user enumeration and security assessment tool, available in both PowerShell and Python versions.

    Key Features:

    • 15+ User Enumeration Methods – Works even when direct /users access is blocked
    • Security Assessment – MFA status, privileged roles, stale accounts, guest users
    • Credential Attack Surface – SSPR, legacy auth, app passwords analysis
    • Conditional Access Analysis – Policy enumeration and gap detection
    • Device & Intune Enumeration – Managed devices, compliance policies
    • Attack Path Analysis – Privilege escalation paths and lateral movement
    • Power Platform – Power Apps and Power Automate flow enumeration
    • Export Options – BloodHound/AzureHound JSON, HTML reports, CSV/JSON
    • Stealth Mode – Configurable delays and jitter to avoid detection

    MFA Security Check

    Focused security assessment tool to identify Azure Entra ID users without Multi-Factor Authentication (MFA) enabled. Includes advanced features for shared mailbox detection and sign-in activity analysis..

    Key Features:

    • MFA Detection – Identifies users without strong authentication methods
    • Last Sign-In Tracking – Shows last login date/time and activity patterns
    • Shared Mailbox Detection – Automatically identifies and filters shared mailbox accounts
    • Sign-In Capability Check – Determines if accounts can actually authenticate
    • Risk Assessment – Categorizes users by risk level (HIGH/MEDIUM/LOW)
    • Activity Analytics – Sign-in statistics, department breakdowns, stale accounts
    • Matrix View – Compact table format for quick visual scanning
    • Export Options – CSV/JSON with comprehensive user details
    • Stealth Mode – Configurable delays and jitter to avoid detection

    Guest Account Enumeration

    Comprehensive guest account analysis tool to identify, analyze, and assess the security posture of external users in Azure Entra ID. Essential for guest access governance and security audits.

    Key Features:

    • Guest Account Discovery – Enumerate all guest users in the tenant
    • MFA Status Detection – Identify guests without Multi-Factor Authentication
    • Last Sign-In Tracking – Shows login date/time and activity patterns for guests
    • Guest Domain Extraction – Identifies originating organizations of guest users
    • Invite Status Tracking – Shows accepted, pending, or expired invitations
    • Risk Assessment – Categorizes guests by risk level (HIGH/MEDIUM/LOW)
    • Activity Analytics – Sign-in statistics, stale accounts, unused invites
    • Matrix View – Compact table format for quick visual scanning
    • Filtering Options – Show only guests without MFA or include disabled accounts
    • Export Options – CSV/JSON with comprehensive guest details
    • Stealth Mode – Configurable delays and jitter to avoid detection

    Critical Administrative Access Check

    Comprehensive security assessment tool to identify Azure Entra ID users with access to 10 critical administrative applications including PowerShell tools, management portals, core Microsoft 365 services, and privileged identity management. Essential for privileged access governance and administrative tool auditing.

    Key Features:

    • Critical Access Discovery – Enumerate users with administrative application access across all tiers
    • Explicit Assignment Focus – Shows users with elevated/administrative access (not basic user access)
    • Default Access Detection – Automatically detects and warns about apps with default access
    • Security-Focused Results – Filters out noise from basic user access to focus on privileged users
    • Multiple Application Coverage – Tracks 10 critical apps: Azure/AD PowerShell, Azure CLI, Graph Tools, M365/Azure Portals, Exchange/SharePoint Online, and PIM
    • MFA Status Detection – Identify privileged users without Multi-Factor Authentication
    • Last Sign-In Tracking – Shows login date/time and activity patterns
    • Assignment Tracking – Shows when users were granted management access
    • Risk Assessment – Categorizes users by risk level (HIGH/MEDIUM/LOW)
    • Activity Analytics – Sign-in statistics, stale accounts, inactive users
    • Matrix View – Compact table format for quick visual scanning
    • Filtering Options – Show only users without MFA or include disabled accounts
    • Export Options – CSV/JSON with comprehensive access details
    • Stealth Mode – Configurable delays and jitter to avoid detection

    Install & Use

  • The Serverless Spectre: How TokenFlare is Redefining M365 Phishing with Built-In Intune Bypasses

    TokenFlare

    Serverless AITM Phishing Simulation Framework for Entra ID / M365

    Features

    • Lean: Core logic (in src/worker.js only ~530 lines of JavaScript).
    • Modular: Supports a number of OAuth flows, with Intune Conditional Access bypass support out of the box
    • Easily tweaked: Set up client branding, URL structure (custom lure path and parameter), final redirect after completing auth, and more, with the semi-interactive tokenflare configure campaign subcommand.
    • Local or remote deployment: Supports getting SSL certs with Certbot for you, or deployment to CF directly.
    • Built in OpSec: bot and scraper blocking, your campaign wouldn’t be burnt in 10 minutes.
    • Fast: get working, production ready infra within minutes.

    Advanced Use Cases & Future Development

    TokenFlare is under active development. Current and planned features include:

    • Better campaign management: More commands for existing infra, for example infra cf listinfra cf remove <worker>.
    • Token redemption: The /oauth2/v2.0/token endpoint support for exchanging authorization codes for access and refresh tokens (WIP)
    • Passkey downgrade attacks: Techniques for environments with FIDO2/passkey requirements
    • Turnstile/reCAPTCHA integration: For scenarios requiring additional bot protection
    • Static HTML responses: Custom landing pages before or after the Auth is complete, for if you’d not want to redirect the user away.
    • Entra Terms of Use bypass: For environments with ToU acceptance requirements

    How TokenFlare Works

    TokenFlare phishing framework

    The core concept is straightforward:

    1. User clicks your lure URL and hits the TokenFlare Worker, which runs the 530 lines of JavaScript in worker.js
    2. Worker initiates an OAuth2 authorization flow against login.microsoftonline.com
    3. User sees Microsoft’s legitimate login page (with your client branding if configured)
    4. User enters credentials and completes MFA
    5. Microsoft returns session cookies (ESTSAUTHESTSAUTHPERSISTENT) to the Worker
    6. Worker captures and forwards credentials/cookies to your webhook
    7. User is redirected to a legitimate destination (e.g., the real SharePoint site they expected)

    All the TLS, routing, and edge infrastructure is handled by CloudFlare. Your Worker is just ~530 lines of JavaScript focused on the proxy logic and credential interception.

    Install & Use

  • Office Under Siege: Microsoft Rushes Emergency Fix for Active Zero-Day

    Microsoft has issued an urgent, out-of-band security update for Microsoft Office to mitigate a high-stakes zero-day vulnerability that is currently being exploited in live environments. This flaw facilitates the circumvention of native security protocols and can be weaponized through a seemingly innocuous document, triggered merely by the act of opening the file.

    The vulnerability, designated as CVE-2026-21509, affects Microsoft Office 2016, 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise. According to the corporation, remedies are already accessible for the most recent iterations of Office, while users of Office 2021 and subsequent builds will receive automatic protection upon restarting their applications. Conversely, updates for Office 2016 and 2019 are presently outstanding and are expected to be released imminently.

    The technical essence of the defect lies in the subversion of protective mechanisms associated with COM and OLE components. An adversary need only transmit a malicious file and entice the victim into opening it to facilitate a localized attack. Microsoft has clarified that the “Preview Pane” does not serve as a viable attack vector; nevertheless, direct user interaction with the file remains the primary risk factor.

    For those utilizing Office 2016 and 2019, the company has prescribed temporary mitigation strategies involving Windows Registry modifications, which are intended to diminish the risk of exploitation until official patches are finalized. Microsoft has refrained from disclosing specific details regarding the discovery of the vulnerability or the technical particulars of the ongoing assaults. This incident occurs amidst a broader surge of emergency updates in January 2026, during which Microsoft has addressed scores of other vulnerabilities, including several actively exploited zero-day flaws.

  • The Insider Threat: How Tycoon 2FA Bypasses Microsoft 365 MFA via Spoofing

    Occasionally, the most perilous phishing missives appear as though they were dispatched by a colleague in the adjacent office. This is precisely the strategy currently favored by adversaries who have mastered the art of circumventing security protocols within specific Microsoft 365 mail configurations, enabling them to disseminate emails that appear internal and bear the organization’s own domain.

    According to Microsoft Threat Intelligence, attackers are exploiting intricate mail routing scenarios and deficient anti-spoofing configurations. Such vulnerabilities typically arise when a domain’s MX record does not terminate directly at Microsoft 365 but is instead routed through an on-premises Exchange server or a third-party gateway before reaching the cloud. In this intermediate void, spoofing validations may be lax, allowing phishers to forge sender addresses that mirror the victim’s domain. Consequently, the recipient perceives the message as a legitimate internal communication, sometimes featuring identical addresses in both the “To” and “From” fields.

    Microsoft has observed an escalation in this tactic since May 2025 across opportunistic campaigns targeting diverse industries. Most frequently, these mass mailings redirect victims to credential-harvesting pages and are associated with Phishing-as-a-Service (PhaaS) platforms—most notably the Tycoon 2FA toolkit. In October 2025 alone, Microsoft intercepted over 13 million malicious emails linked to Tycoon 2FA. These platforms lower the barrier for criminals by providing ready-made templates, infrastructure, and “Adversary-in-the-Middle” (AitM) mechanisms designed to subvert multi-factor authentication.

    The lures employed are impeccably mundane and plausible within a corporate context: notifications of voicemails, shared documents, human resources updates, or password expiration alerts. Microsoft further details sophisticated financial ruses where forged emails coerce employees into settling fictitious invoices. These messages may be presented as a continuation of a thread involving the “CEO,” “Accounting,” or a “Contractor,” bolstered by convincing attachments such as high-value fraudulent invoices, W-9 forms, and counterfeit bank confirmations.

    While the repercussions of “successful” phishing are predictable, they remain devastating: exfiltrated credentials, the compromise of sensitive documents, and Business Email Compromise (BEC) resulting in substantial financial attrition. Notably, Microsoft emphasizes that if a domain’s MX record points directly to Office 365, this particular routing-based spoofing scheme is rendered ineffective.

    To fortify defenses, Microsoft advocates for the hardening of fundamental mail authentication and routing settings: implementing stringent DMARC policies in “reject” mode, configuring the Sender Policy Framework (SPF) for “hard fail,” and meticulously auditing connectors for third-party anti-spam or archiving services. Furthermore, disabling the “Direct Send” feature, unless strictly necessary, is advised to intercept missives attempting to impersonate organizational domains.

  • The Raccoon’s End: Nigerian Police Arrest Mastermind Behind RaccoonO365 PhaaS

    Nigerian authorities have arrested an individual believed to be one of the developers behind RaccoonO365, a phishing-as-a-service platform that enabled criminals to mass-produce fake Microsoft login pages and harvest victims’ usernames and passwords. Acting on intelligence provided by Microsoft, the FBI, and the U.S. Secret Service, police ultimately detained three suspects.

    According to law enforcement, only one of those arrested—Okitipe Samuel—is directly tied to the RaccoonO365 operation. He is described as a key architect of the platform’s phishing infrastructure. Police allege that Samuel ran a Telegram channel through which phishing links were sold for cryptocurrency and hosted counterfeit login portals on Cloudflare, using email credentials obtained through theft or fraud. Searches conducted during the operation led to the seizure of laptops, mobile phones, and other digital devices believed to be connected to the scheme.

    RaccoonO365 was marketed as a “phishing subscription” service. For roughly $365 per month, cybercriminals gained access to tools that allowed them to create branded Microsoft campaigns—complete with fake emails, attachments, and websites—designed to lure victims to fraudulent Microsoft Office 365 login pages. The service was used to target corporate, financial, and educational organizations, and its creators even promised methods for bypassing multi-factor authentication, enabling attackers not merely to steal passwords but to maintain long-term access to compromised systems.

    A typical attack chain unfolded as follows: victims received an email containing an attachment with a link or QR code. Clicking it led to a page featuring a CAPTCHA, after which the victim was redirected to a counterfeit Microsoft O365 login page where credentials were captured. Nigerian police say such campaigns paved the way for business email compromise, data breaches, and significant financial losses.

    As early as September, Microsoft secured a court order authorizing the seizure of 338 websites linked to RaccoonO365. Around the same time, Cloudflare announced that it had disabled hundreds of domains and accounts used by the group. In campaigns observed by Cloudflare, the attackers impersonated not only Microsoft but also brands such as Adobe, Maersk, and DocuSign. According to Microsoft’s Digital Crimes Unit, RaccoonO365 kits were used to steal at least 5,000 Microsoft account credentials across 94 countries.

    Microsoft has previously identified another Nigerian national, Joshua Ogundepe, as the principal driving force behind RaccoonO365, alleging that he wrote much of the code and delegated various functions to accomplices—from development and sales to customer support for fellow cybercriminals.

    The company has submitted evidence to international law enforcement seeking Ogundepe’s prosecution, though his current whereabouts remain unknown. Microsoft has also claimed that participants in the scheme earned at least $100,000, and that the Telegram channel used to promote the service attracted roughly 850 members.

  • Forced AI Upgrade: Australia Sues Microsoft Over Hidden 365 Fees

    Microsoft has become the defendant in a lawsuit filed by the Australian Competition and Consumer Commission (ACCC), which accuses the company of misleading millions of users by effectively forcing them to migrate to more expensive Microsoft 365 plans integrated with Copilot AI, without offering an option to decline the new feature.

    In Australia, subscription prices reportedly rose by nearly 45%, while users were not provided with a Copilot-free alternative. According to the ACCC, Microsoft concealed the existence of cheaper plans and failed to mention them in emails or notifications. Information about retaining the previous pricing was available only on the cancellation screen—a point at which most users had already decided to renew.

    The price increase affected approximately 2.7 million subscribers, raising the annual cost from A$109 to A$159 (roughly US$72 to US$104). Should the court rule against Microsoft, the company could face a fine of up to A$50 million (around US$33 million).

    ACCC Chair Gina Cass-Gottlieb stated that the company had deliberately withheld information about legacy plans to drive users toward more expensive, AI-enabled subscriptions. The Commission has demanded that Microsoft refund overcharged customers and ensure greater transparency in future communications.

    In response, Microsoft affirmed that it “values user trust and transparency” and intends to cooperate with regulators. The case marks one of the first instances in which a major technology corporation has been accused of coercively integrating artificial intelligence features in a manner that directly impacts subscription costs for millions of consumers.

  • Jingle Thief: Cloud-Native Fraud Ring Steals Millions via Microsoft 365 Gift Cards

    The Unit 42 team at Palo Alto Networks has released an in-depth investigation into a new international cybercrime campaign driven by financially motivated actors, codenamed Jingle Thief. Operating out of Morocco, the group specializes in large-scale gift card fraud that intensifies ahead of the holiday season. Its primary targets are major global retailers and consumer service enterprises relying on cloud-based platforms, particularly Microsoft 365.

    According to Unit 42, the activity cluster designated CL-CRI-1032 is highly likely linked to the threat actors previously tracked as Atlas Lion and STORM-0539. This group is distinguished by its exceptional persistence within victim environments—maintaining access to corporate clouds for over a year in some cases, carefully studying internal processes and hierarchies to escalate privileges. In the spring of 2025, Jingle Thief conducted a series of coordinated intrusions against multiple international corporations simultaneously.

    Following phishing or smishing campaigns, the attackers gained access to Microsoft 365 via stolen credentials and began reconnaissance activities. They explored SharePoint and OneDrive repositories for documents related to gift card issuance, financial workflows, and internal procedures, while also connecting to Exchange and Entra ID. Notably, the group refrained from deploying malware or infecting endpoints—instead, all operations occurred entirely within the cloud, leveraging legitimate services.

    Subsequent stages involved the distribution of internal phishing notifications, enabling further account compromise. These messages imitated ServiceNow alerts, IT department requests, or inactivity warnings, directing recipients to counterfeit Microsoft 365 login pages styled to match the organization’s branding. This allowed the attackers to silently expand their foothold, compromising dozens of accounts and maintaining visibility into corporate communications.

    One of their key techniques was the creation of hidden email forwarding rules that sent messages to external addresses, enabling passive surveillance of communications regarding the issuance and approval of gift cards. To cover their tracks, the attackers automatically moved sent phishing emails and user replies to the Deleted Items folder, preventing staff from noticing any irregular activity.

    For long-term persistence, the group registered its own devices in Entra ID, added fraudulent authenticator applications, and modified passwords through legitimate self-service recovery mechanisms. This ensured resilient access that persisted even after password resets or session revocations. Once entrenched, Jingle Thief turned to its main objective—issuing high-value gift cards, which were rapidly liquidated or used for money-laundering operations.

    Gift cards have become an appealing target due to their minimal personal data requirements, difficulty of transaction tracing, widespread corporate usage, and weak internal oversight. On underground markets, such cards are sold at a discount, allowing criminals to quickly monetize stolen assets. Unit 42 observed that in one case, the attackers controlled over sixty corporate accounts within a single global enterprise for nearly ten months, attempting to mass-issue premium gift cards across several loyalty programs.

    All identified connections originated from Moroccan IP address ranges associated with MT-MPLS, ASMedi, and MAROCCONNECT. While the group occasionally used Mysterium VPN, it often connected directly—further confirming its geographic origin. Recurrent domain naming patterns and URL structures also point to a unified Moroccan infrastructure.

    The Jingle Thief campaign underscores the growing threat of cloud-native attacks, where adversaries exploit legitimate platform functionality rather than compromising endpoints. Such tactics make detection exceedingly difficult and allow intrusions to persist undetected for months.

    Unit 42 experts emphasize that defending against these tactics requires continuous behavioral monitoring, analysis of unusual logins and policy changes, and a shift toward identity-centric security. In modern cybersecurity, it is the digital identity—not the network perimeter—that now defines the true boundary of protection.