OAuth Device Code Phishing Grants 90-Day M365 Access

◆ DEEP DIVES

1. 01

   Your M365 Tenant Is One AI Phishing Email From a 90-Day, MFA-Invisible Compromise

   <h3>The Attack Chain Your Controls Can't See</h3><p>An active phishing campaign is exploiting a <strong>structural gap in Microsoft's authentication architecture</strong>: the OAuth device code flow. Originally designed for input-constrained devices like smart TVs and IoT hardware, this flow is <strong>enabled by default for all users</strong> in most Entra ID configurations. Attackers have turned it into a full MFA bypass.</p><p>The attack works like this: AI-generated phishing emails — using <strong>QR codes, file-share links, and highly varied lures</strong> — direct victims to initiate a Microsoft device authentication flow. The attacker captures the resulting OAuth token, which grants <strong>persistent access for up to 90 days</strong> without requiring the victim's password or triggering any MFA challenge. The phishing infrastructure runs on Railway, a legitimate cloud PaaS, so URLs pass reputation-based email filters.</p><blockquote>This attack succeeds after your email filter, after your MFA — at the identity layer where most organizations have the least detection coverage.</blockquote><h4>Why Traditional Detection Fails</h4><table><thead><tr><th>Detection Method</th><th>Effectiveness</th><th>Why It Fails</th></tr></thead><tbody><tr><td>Email signature/pattern matching</td><td>Low</td><td>AI-generated lures with high variability defeat pattern matching</td></tr><tr><td>URL reputation filtering</td><td>Low</td><td>Railway PaaS domains are initially reputation-neutral</td></tr><tr><td>MFA enforcement</td><td>None</td><td>Device code flow sidesteps MFA entirely by design</td></tr><tr><td>Failed login alerting</td><td>None</td><td>No failed logins occur — token grant is clean</td></tr><tr><td>Standard identity monitoring</td><td>Low</td><td>Token usage looks like legitimate API access</td></tr></tbody></table><p>Hundreds of businesses are already compromised. Huntress pushed emergency conditional access policy updates to <strong>tens of thousands of tenants</strong>. If you haven't taken equivalent action, you're exposed.</p><h4>The Broader Pattern</h4><p>This campaign is a proof point for a <strong>structural shift in cybercrime</strong>. The combination of generative AI for high-variability lure generation at scale, easy-to-deploy cloud platforms for disposable infrastructure, and authentication protocol design gaps creates an operating model that will produce increasingly diverse, increasingly evasive attacks. Your defensive architecture needs to shift from pattern-matching at the perimeter to <strong>behavioral analysis at the identity and data layers</strong>.</p>

   Action items

   • Block device code authentication flow in Entra ID conditional access policies for all users except explicitly exempted service accounts — this is a single-policy change with the highest ROI available today
   • Query Entra ID sign-in logs for 'deviceCode' grant type over the past 90 days; investigate anomalous locations, bulk mailbox access, and new forwarding rules
   • Add railway.app and associated subdomains to email gateway and web proxy blocklists; conduct retroactive email log search for Railway-linked URLs
   • Run a purple team exercise using AI-generated phishing with QR codes and varied templates to measure your SEG's detection rate; if below 80%, procure supplementary behavioral detection

   Sources:Your M365 tenants are being owned via OAuth device auth flow — 90-day tokens, no MFA, AI-generated lures

2. 02

   MuddyWater's Deno Pivot and BYOVD Commodity Attacks: Two New EDR Blind Spots Landing Simultaneously

   <h3>Your Detection Logic Has a Runtime Gap</h3><p>Two independent threat developments converge on the same conclusion: <strong>your EDR's detection logic has exploitable blind spots</strong>, and adversaries at both the nation-state and commodity-crime level are actively targeting them.</p><h4>MuddyWater's Dindoor: Nation-State Detection Evasion</h4><p>Iranian APT MuddyWater deployed <strong>Dindoor</strong>, a backdoor built on the Deno JavaScript runtime, specifically chosen because EDR behavioral signatures are tuned for <strong>PowerShell and Python</strong> — not Deno. The campaign, active in February 2026, targeted a <strong>US financial institution, a US airport, a Canadian non-profit, and an Israeli defense subsidiary</strong>.</p><p>The operational security is deliberate: C2 runs through <strong>Cloudflare-fronted domains</strong>, exfiltration uses <strong>Rclone to Wasabi cloud storage</strong> and Backblaze B2, and staging infrastructure sits on <strong>deno.land</strong> — all legitimate developer/cloud services that blend with normal traffic. Known malicious domains include <strong>uppdatefile[.]com, serialmenot[.]com, and moonzonet[.]com</strong>.</p><blockquote>The absence of static IOCs is a deliberate design choice. By staging infrastructure on commodity cloud services, MuddyWater ensures their traffic blends with legitimate developer and cloud operations traffic.</blockquote><h4>BYOVD EDR Kill in Commodity Campaigns</h4><p>Separately, Huntress documented <strong>tax-themed social engineering campaigns</strong> deploying Bring Your Own Vulnerable Driver (BYOVD) attacks that load kernel-mode drivers to <strong>kill AV and EDR processes</strong>. This technique — previously associated with nation-state actors like Lazarus Group — is now appearing in <strong>everyday phishing campaigns</strong>. A single phishing click can blind your entire detection stack if your EDR lacks kernel-level tamper protection.</p><h4>The Combined Threat Picture</h4><table><thead><tr><th>Attribute</th><th>MuddyWater Dindoor</th><th>BYOVD Commodity Attacks</th></tr></thead><tbody><tr><td><strong>Threat level</strong></td><td>Nation-state (Iran/MOIS)</td><td>Commodity cybercrime</td></tr><tr><td><strong>EDR evasion</strong></td><td>Runtime selection (Deno)</td><td>Kernel-mode driver kills EDR process</td></tr><tr><td><strong>Detection difficulty</strong></td><td>High — no Deno baselines</td><td>Medium — driver loading detectable if monitored</td></tr><tr><td><strong>Targets</strong></td><td>US finance, airport, defense</td><td>Tax-season victims broadly</td></tr><tr><td><strong>MITRE ATT&CK</strong></td><td>T1059, T1566, T1567, T1105</td><td>T1068, T1562.001</td></tr></tbody></table><p>The pattern is unmistakable: adversaries across the sophistication spectrum are engineering around endpoint detection — either by choosing runtimes your signatures don't cover, or by killing the detection agent entirely at the kernel level.</p>

   Action items

   • Add Deno runtime monitoring to EDR/SIEM detection stack: create rules for deno.exe/deno process execution, network connections to deno.land, and outbound traffic to s3.wasabisys.com and Backblaze B2 endpoints
   • Block IOC domains uppdatefile[.]com, serialmenot[.]com, and moonzonet[.]com at DNS and proxy layers
   • Validate EDR tamper protection against BYOVD kernel-mode kill techniques and verify Microsoft Vulnerable Driver Block List is deployed across all Windows endpoints
   • Hunt for Rclone exfiltration patterns across your environment — Rclone to Wasabi or Backblaze B2 is MuddyWater's current exfil method

   Sources:AI Bots Are Hijacking Your CI/CD Supply Chain Right Now — Plus 3 Critical CVEs Demanding Immediate Patches · Your AI stack has no integrity checks: MCP rug pulls, Bedrock hijacks, and a Deno backdoor your EDR won't catch

3. 03

   RSAC 2026 Revealed: Your Endpoint Tools Fail 20% of the Time, Vishing Overtook Email Phishing, and Four Vendors Just Declared Non-Human Identity the New Battleground

   <h3>The Numbers That Should Recalibrate Your Risk Register</h3><p>RSAC 2026 delivered a rare convergence of <strong>quantified operational data</strong> that exposes how wide the gap is between assumed and actual defense posture. These aren't vendor opinions — they're measured benchmarks from production environments and incident data across thousands of organizations.</p><h4>Endpoint Tools Fail More Than You Think</h4><p>New data presented at RSAC shows endpoint security tools <strong>fail approximately 20% of the time</strong>, leaving enterprise devices unprotected for roughly <strong>76 days per year</strong>. Meanwhile, mean patching delay has ballooned to <strong>127 days</strong>. To put this in context: CVE-2026-21992 (the Oracle Identity Manager CVSS 9.8 pre-auth RCE patched this week) at a 127-day average cycle means the median enterprise won't have it patched until <strong>late July 2026</strong> — four months of unauthenticated RCE exposure on identity infrastructure.</p><p>The Langflow precedent makes this worse: CVE-2026-33017 was weaponized in <strong>20 hours from advisory to working exploit</strong>, with full data exfiltration in 25 hours. The era of 127-day patch cycles against 20-hour exploitation timelines is a structural mismatch that cannot be resolved incrementally.</p><h4>Vishing Is Now the Dominant Social Engineering Vector</h4><p>Mandiant's 2025 M-Trends report quantifies a fundamental shift in social engineering:</p><ul><li><strong>Voice phishing (vishing): 11%</strong> of all investigated incidents — the fastest-growing vector</li><li><strong>Email phishing: 6%</strong> — a <strong>73% decline from 22% in 2022</strong></li></ul><p>Vishing is the <strong>hallmark of The Com and Scattered Spider</strong>, the groups behind MGM, Caesars, and Okta breaches. Voice channels lack technical controls equivalent to DMARC/SPF/DKIM for email. Most helpdesks still rely on knowledge-based authentication for phone-initiated identity actions — and that's exactly what these groups exploit.</p><h4>The Non-Human Identity Governance Race</h4><p>Four major announcements at RSAC targeted the same blind spot simultaneously:</p><ul><li><strong>Cisco Duo Agentic Identity</strong> — IAM for AI agents as first-class identities</li><li><strong>Palo Alto Prisma AIRS 3.0</strong> — unified agent, app, identity, and runtime security</li><li><strong>1Password Unified Access</strong> — discovers shadow AI and unmanaged agents</li><li><strong>Cloud Security Alliance CSAI</strong> — nonprofit defining the agentic control plane framework</li></ul><blockquote>When four major players launch competing products in the same week targeting the same gap, that gap is real — and your auditors will notice. Non-human identity governance is moving from 'emerging concern' to 'audit finding' faster than most organizations are prepared for.</blockquote><h4>AI Is Generating Novel Exploits</h4><p>Former Deputy NSA Anne Neuberger and Method Security CEO Sam Jones confirmed at a separate event: <strong>AI crossed a qualitative threshold in 2026</strong>. In 2025, AI accelerated known TTPs. In 2026, AI is generating <em>genuinely novel exploits and attack techniques</em>. Method Security runs autonomous adversary emulation in Fortune 500 production environments — they're seeing this in real conditions. Google has deployed <strong>Gemini agents to process 8-10M dark-web events per day</strong>, signaling AI-driven SOC triage is moving from concept to production scale.</p>

   Action items

   • Pull actual endpoint agent uptime and critical-CVE time-to-patch data from your environment and benchmark against RSAC findings (20% failure, 127-day delay); brief CISO with the gap analysis
   • Implement vishing-resistant helpdesk procedures: eliminate phone-only MFA resets, require callback verification to known employee numbers, and add vishing scenarios to next tabletop exercise
   • Conduct a non-human identity inventory: catalog all service accounts, API keys, AI agents, and automated systems with production data access, classified by sensitivity and last-used timestamp
   • Formalize tiered patching SLAs: ≤24h for pre-auth RCE/CVSS 9+, ≤72h for authenticated RCE/CVSS 7-8.9, ≤14d for remainder; pre-authorize emergency patching authority to skip CAB

   Sources:CVE-2026-21992 demands emergency patching — plus your non-human identity blind spot just became RSAC's top theme · Your AI stack has no integrity checks: MCP rug pulls, Bedrock hijacks, and a Deno backdoor your EDR won't catch · Your M365 tenants are being owned via OAuth device auth flow — 90-day tokens, no MFA, AI-generated lures · AI Is Now Writing Novel Exploits, Not Just Accelerating Old Ones — Your 2025 Threat Model Is Already Stale