The IT Nerd

It is being reported hackers are targeting technology, manufacturing, and financial organizations in campaigns that leverage device code phishing with voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts.

Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating.

This provides attackers with valid authentication tokens that can be used to access the victim’s account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes.

Ensar Seker, CISO at SOCRadar, commented:

“This campaign is significant because it doesn’t break authentication, it abuses it. The OAuth 2.0 Device Authorization flow was designed for usability across limited-input devices, but attackers are now socially engineering users into completing legitimate device login prompts under the guise of IT support or security validation. By leveraging real Microsoft OAuth client IDs instead of malicious apps, adversaries avoid many traditional detection controls. The result is a valid authentication token issued by Microsoft itself, which means no password theft, no MFA bypass exploit, just human manipulation.

“What makes this especially dangerous for enterprises is that many security programs still focus heavily on credential phishing indicators, fake domains, cloned login pages and MFA fatigue. Device code phishing shifts the battlefield into token abuse and session hijacking. Once the attacker has a valid access token tied to Entra ID, they can move laterally into M365, SharePoint, Teams, and potentially pivot toward financial fraud or data exfiltration without triggering obvious alerts.

‘If ShinyHunters is indeed involved, it signals continued evolution from traditional data-theft extortion toward identity-centric compromise models. Identity is the new perimeter, and OAuth abuse is becoming a preferred entry point because it blends into normal authentication telemetry.

“From a defensive standpoint, organizations need to restrict or monitor the Device Authorization flow where not required, enforce Conditional Access policies that bind tokens to compliant devices, reduce token lifetimes, enable sign-in risk policies, and implement stronger session monitoring. Security teams should also train employees that legitimate IT will never ask them to manually enter device codes shared over the phone.

“This is not a vulnerability in Microsoft Entra, it’s a design feature being exploited through social engineering. The real lesson is that modern attacks increasingly weaponize legitimate cloud workflows rather than exploit technical flaws.”

This is a very good time to start looking at your Microsoft Entra setup to make sure that you are not vulnerable. Because now that this is being used by one group of threat actors, it will be used by others soon enough.

Disclaimer: I am not trying to give tips to the bad guys. But given the fact that I have been emailed about this repeatedly since this story broke, I felt that I needed to respond.

Late last week, news broke that Microsoft not only will hand over Bitlocker keys to law enforcement, but it has done so.

Wait, what are Bitlocker keys? Glad that you asked that question.

Microsoft Windows 11 has a full disk encryption feature called Bitlocker. The goal of Bitlocker is to keep your data on your laptop or desktop safe by encrypting it. And to decrypt it, you need a key to do that. So think of it like this. Your data is protected by a padlock. And you have a key to unlock it. That should keep it save from prying eyes.

But here’s the catch, Microsoft also has a key to your data and is willing to hand it over to law enforcement. Now this is likely making you think “wait, I didn’t give Microsoft a key to my data”. Well, actually you did. If you install Windows 11 and you turn on Bitlocker, assuming that it isn’t on already, you need to create a Microsoft account. The idea is that it will store the Bitlocker key in the cloud. The thing is, that the second you do that, Microsoft has access to that key. Now you can opt out of this, but it takes a lot of effort (the cynic in me says that this is deliberate on the part of Microsoft) to do that. And the average user isn’t going to go through that effort. So they take the easy way out.

If you’re still with me, you’re now likely thinking “wow, that’s a massive potential security risk for users.” And you’d be right. The fact that Microsoft can do this to anyone who uses Windows 11 with a Microsoft account is problematic to say the least. Contrast that with Apple who claims to have zero access to keys related to FileVault which is their full disk encryption feature, it creates a comparison that I am going to guess that Microsoft would rather you not make.

So, if this freaks you out, the question becomes what are your options to mitigate this risk. This is what I would suggest:

• Use A Local Account Instead Of A Microsoft Account: By installing Windows 11 with a local account, you avoid this completely as it doesn’t upload the Bitlocker keys to the cloud where Microsoft can get access to them. Microsoft shockingly has instructions as to how to do this here. But I would default to these instructions as they are a bit more straightforward.
• Don’t Use Bitlocker To Encrypt Your Disk: Alternatives to Bitlocker that I would actually recommend to people are few and far between. What I would recommend instead is using a self encrypting hard drive. The reason being is that Bitlocker is largely software encryption. That means that there is a bit of overhead in terms of the data being encrypted and decrypted. A self encrypting hard drive is hardware encryption which has substantially less overhead. Another plus that self encrypting drives have over Bitlocker is that these drives secure data in ways that make them difficult if not impossible to break into. Self encrypting drives can be installed in most laptops and desktops after purchase, or they can be added as options during the purchase process. Besides speed, these drives also adhere to standards such as FIPS 140-2 Level 3 validation. Which makes them ideal for environments where the security of data is paramount. The only thing that I would ensure is that you should make sure that the drive that you use adheres to the TCG Opal 2.0 specifications for maximum compatibility with applications that manage these drives. If you want to go down the rabbit hole on self encrypting drives, this will help you to do so.

Now should you worry about the fact that Microsoft will hand over your Bitlocker keys to law enforcement? One view is that if you’re not a bad guy you shouldn’t be concerned. Another view is that if you care about privacy, you should be concerned as someone outside of Microsoft might get their hands on these keys and use them for whatever evil purpose that they have in mind. Or Microsoft may start handing these keys over to non-law enforcement agencies or repressive governments or the like. The bottom line is that you have to look at this relative to your comfort level of letting Microsoft have access to the keys that protect your data. And take action based on that.

 Microsoft today announced that it is expanding its bug bounty program to now include any flaw impacting its services, regardless of whether the code was written by Microsoft or not:

In an AI and cloud-first world, threat actors don’t limit themselves to specific products or services. They don’t care who owns the code they try to exploit. The same approach should apply to the security community who continue to partner with us to provide critical insights that help protect our customers.  

Security vulnerabilities often emerge at the seams where components interact or where dependencies are involved. We value research that takes this broader perspective, encompassing not only Microsoft infrastructure but also third-party dependencies, including commercial software and open-source components. 

Starting today, if a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award. Regardless of whether the code is owned and managed by Microsoft, a third-party, or is open source, we will do whatever it takes to remediate the issue. Our goal is to incentivize research on the highest risk areas, especially the areas that threat actors are most likely to exploit.  Where no bounty programs exists, we will recognize and award the diverse insights of the security research community wherever their expertise takes them. This includes domains and corporate infrastructure that are owned and managed by Microsoft.  

We call this approach In Scope by Default. It gives clarity to researchers and ensures that we incentivize responsible research wherever our customers may be impacted. Historically, our bounty program has had a defined scope for each eligible product or service. Our new approach expands the program to include all online services by default. It also means new services will be in scope as soon as they are released. 

 Martin Jartelius, AI Product Director at Outpost24 had this to say:

“For organizations that rely on bug bounty programs to keep themselves and their customers secure, this is an important step, as it focuses on the full attack surface of an organization. A very common mistake in security is the careless use of scope, or rather de-scoping, of what is included. As Mr. Gallagher notes, attackers do not care whether they gain access through ReactToShell or a novel vulnerability in Microsoft components. Microsoft will likely find itself paying out more bounties for a while, but the resulting security improvements will ultimately be a cost-efficient way to strengthen the organization’s overall security posture.”

This is a very good move by Microsoft as supply chain attacks are far more pervasive than they should be. Hopefully other vendors do something similar as this will make us all safer.

A newly identified phishing campaign is exploiting Microsoft Entra tenant invitation functionality to orchestrate TOAD (Telephone-Oriented Attack Delivery) attacks against unsuspecting users. Commenting on this is Ensar Seker, CISO at SOCRadar:

“This campaign is a prime example of how attackers increasingly repurpose legitimate cloud-native features for malicious purposes. By abusing Microsoft Entra’s guest invitation system, the threat actors bypass traditional email filters and exploit trust users place in official Microsoft-branded messages. Because the Entra invitations are often whitelisted and routed through Microsoft’s infrastructure, they have higher deliverability and lower suspicion thresholds.

TOAD phishing attacks differ from traditional credential harvesting because they rely on inducing the user to take offline action usually by calling a phone number. In this case, embedding the phone number within a trusted Microsoft invitation gives the scam an air of legitimacy. Once the victim initiates the call, attackers may request remote access, payment details, or PII under the guise of “fixing” an account issue or refunding a charge.

What makes this campaign particularly dangerous is the convergence of:

• Trusted delivery mechanisms (Microsoft Entra infrastructure)
• Minimal technical indicators (no malicious attachment or link to analyze)
• Social pressure (urgent account issues prompting a phone call)

Traditional email filtering, sandboxing, and EDR tools are less effective here because the initial “payload” is human interaction, not code execution.

Organizations should monitor and audit their Microsoft Entra guest invitation logs for anomalous behaviors such as spikes in external invitations, use of unusual messaging language, or repeated invitations to consumer domains. Security awareness training should explicitly cover TOAD threats and the misuse of trusted platforms to initiate phone-based social engineering.

This is part of a broader trend in adversary-in-the-middle techniques that blend cloud abuse, social engineering, and trust manipulation. It underlines the need for zero trust policies even within SaaS environments, continuous behavioral monitoring, and adaptive email filtering models that account for intent, not just indicators.”

This is a pretty interesting, and not in a good way, attack as it is difficult to defend against. This means that defences will have to be devised quickly or this could easily spiral out of control.

Researchers have uncovered a new campaign that weaponizes Microsoft’s name and branding to lure users into fraudulent tech support scams. What makes this scam different from others is the use of social engineering, fake system alerts and deceptive UI overlays to execute the scam.

More details can be found here: https://cofense.com/blog/weaponized-trust-microsoft-s-logo-as-a-gateway-to-tech-support-scams

Ensar Seker, CISO at SOCRadar, provided the following comments:

“This scam is an advanced form of client-side browser manipulation that exploits both psychological and technical blind spots. By weaponizing the browser through JavaScript-based UI freezing, attackers simulate a system-level lock, often hijacking the mouse cursor, displaying modal pop-ups, and suppressing keyboard interactions. This creates a false sense of urgency and loss of control, coercing victims into calling a fraudulent support number.

“Technically, this scam evades email security layers by using CAPTCHA challenges and redirect chains to delay payload execution until after user interaction, which frustrates sandbox-based detection. It also mirrors tactics used in scareware and fake AV campaigns from a decade ago, now modernized with brand impersonation and responsive browser exploits.

“For defenders, it reinforces the importance of browser hardening, zero-trust browsing environments, and robust user awareness, especially training users to recognize fake urgency cues and never call unknown support numbers prompted by web pop-ups.”

Threat actors seem to be evolving faster than defenders can keep up. And this campaign illustrates that. That should make it clear that defenders need to evolve just as fast or bad things will happen to those they are protecting.

As of today, Microsoft’s has ended Windows 10 support. And according to Roger Grimes, CISO Advisor at cybersecurity company KnowBe4, that could leave users vulnerable to cyberattacks.

“Windows 10 was released over 10 years ago, so it doesn’t surprise me that Microsoft is finally sunsetting it. Competitors like Apple and Linux often only support the latest versions for a few years, so ten years of support is extraordinary. With that said, there are tens of millions of Windows 10 users (there are also hundreds of thousands to millions of even earlier Windows users out there), and Microsoft can’t simply abandon them.

But what does support look like when Microsoft no longer provides support? If history is any indicator, in the past Microsoft was forced to release a few critical patches that were being widely exploited in the world, but the practical reality is that any Windows 10 user needs to move to a newer version or use something else. If they can’t and there are very valid reasons why a customer MUST continue to use Windows 10 and must accept the risk. That’s life. But those Windows 10 users should isolate Windows 10 computers off the network and Internet if they can, or significantly isolate them using other domain isolation techniques (e.g., firewalls, IPSEC, etc.) and enable aggressive security monitoring. A Windows 10 computer is a high-risk computer and needs to be treated like it.”

Now updating to Windows 11 is the clear answer to this dealing with Windows 10’s demise. But that’s not always easy as it is entirely possible that you have to replace hardware, or some piece of software that you rely upon might break and not have an easy path to update. Assuming that an update path exists.

But there’s another option if you must run Windows 10. You can extend its lifespan with the Extended Security Updates (ESU) program by paying Microsoft. More details can be found here. Interestingly EU customers don’t have to pay for this. At least for the first year. That’s the benefit of living in a jurisdiction that takes cybersecurity more seriously than we do. Having said that, this is a viable option if you must run Windows 10 beyond today.

Microsoft has flagged a new phishing campaign that appears to leverage large language models (LLMs) to craft obfuscated SVG payloads, making them appear like legitimate business analytics dashboards. The attack chain uses compromised business email accounts, self-addressed emails, and SVG files containing business-related terminology and modular, over-engineered code that mimics legitimate content. This enables phishing lures to evade static analysis and detection tools. While the campaign was limited in scope and blocked, Microsoft warns that AI-assisted obfuscation and synthetic phishing techniques are growing trends, with attackers increasingly adopting LLMs to automate and enhance their tactics.

You can read more via this Microsoft blog post: https://www.microsoft.com/en-us/security/blog/2025/09/24/ai-vs-ai-detecting-an-ai-obfuscated-phishing-campaign/

Anders Askasen, VP of Product Marketing, Radiant Logic had this comment:

“AI-driven phishing shows us that the frontline isn’t the payload, it’s the person behind the login. Attackers aren’t just tricking defensive filters anymore, they are using LLMs to mimic the texture of legitimate business data. That’s why identity observability is critical. If you can unify identity data into one source of truth, you can see when an account behaves out of character, when credentials are being replayed, or when entitlements don’t match expected patterns. The only way to counter AI-scaled deception is with unified identity intelligence that lets defenders observe, correlate, and act in real time.”

Andrew Obadiaru, CISO, Cobalt follows with this comment:

“Phishing has always been about social engineering, but AI is fundamentally changing the game by making attacks harder to detect both technically and psychologically. The use of LLMs to generate verbose, business-like code isn’t just obfuscation—it’s camouflage that blends seamlessly into enterprise workflows. Security teams can’t rely on static filters or signature-based defenses to catch this. The focus must shift to behavioral detection, red-teaming against AI-assisted tactics, and shortening remediation cycles before attackers can exploit the gap.”

This highlights the fact that we all need to work harder than ever to stay ahead of the bad guys. Because they continue to evolve their tactics to allow them to succeed in making your life as miserable as possible.

Microsoft patched an Azure Entra elevation of privilege flaw (CVE-2025-55241) that appeared minor and required no customer action. But security researcher Dirk-jan Mollema revealed a deeper issue: undocumented “Actor tokens” combined with an Azure AD Graph API flaw could have enabled attackers to impersonate any user, including Global Admins, across any Entra ID tenant, with no logs or traces. While Microsoft moved quickly after responsible disclosure, the episode highlights the fragility of cloud identity security, the hidden risks in undocumented systems, and the need for proactive monitoring beyond vendor assurances. Details below:

One Token to rule them all – obtaining Global Admin in every Entra ID tenant via Actor tokens: https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/

Anders Askasan, Director of Product, Radiant Logic had this to say:

     “This incident shows how undocumented identity features can quietly bypass Zero Trust. Actor tokens created a shadow backdoor with no policies, no logs, no visibility, undermining the very foundation of trust in the cloud. The takeaway is clear: vendor patching after the fact simply isn’t enough. To reduce systemic risk, enterprises need independent observability across their entire identity fabric, continuously correlating accounts, entitlements, and policies. Organizations need a trusted, vendor-agnostic view of their identity data and controls, so they can validate in real time and act before an adversarial incursion escalates into a breach that’s almost impossible to unwind.”

Christopher Elisan, Head of Offensive Security Research, Cobalt adds this:

      “This case underscores why blind trust in vendor assurances can be dangerous. While responsible disclosure and rapid patching worked here, the sheer scale of what could have gone wrong reminds us that security isn’t static. Organizations should invest in adversarial testing to uncover blind spots before attackers do. Blind spots often live in undocumented functionalities, which can only be found by continuous, independent testing and validation. Continuous, independent validation is the only way to cut through a false sense of safety.”

This shows the importance of having a strong, diversified defence strategy which reduces your exposure to something like this. That’s on top of patching all the things ASAP.

Today, Microsoft’s Digital Crimes Unit said it disrupted RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 credentials, by seizing 338 websites associated with the popular service and cutting off criminals’ access to victims.

Microsoft posted a blog post on the seizure here: https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-websites-to-disrupt-rapidly-growing-raccoono365-phishing-service/

Erich Kron, security awareness advocate at KnowBe4, commented:

“Clearly, email phishing continues to be a major threat that organizations face on a daily basis. Phishing services make it far easier for unskilled attackers to be able to play in the cybercrime game, while not necessarily being cyber savvy themselves.

“Credential theft through phishing can be especially dangerous because people tend to reuse passwords across different accounts and services, meaning, if a bad actor can trick someone out of their password, they may not only have access to that account, but others as well.

“The social engineering threats drive home the reason that organizations need to have a well-established human risk management (HRM) program in place that will educate users on ways to spot fake login pages and help them understand why credential reuse is so dangerous. In addition, MFA should be deployed wherever possible to make things even tougher for attackers in the event they do steal someone’s credentials.”

This blog post is very much worth your time to read as it shows how threat actors are evolving to be increasingly more effective and dangerous.