NexusWire is NexusTek's new weekly intelligence brief, distilled from public threat research by our internal security council. All claims are sourced to vendor and government authorities including Microsoft, Cisco, CISA, and independent security researchers. When we get something wrong, we'll correct it visibly in the next edition. That's our standard.

Three teams in one week

Three different research teams documented the same attack against Microsoft 365 in a single week. 

eSentire, a threat research firm, documented that the Tycoon 2FA criminal operators have pivoted to a technique called OAuth device code phishing. The way it works: the attacker tricks the user into entering a six-digit code on Microsoft’s real login page. The password works. The multi-factor approves cleanly. The session goes to the attacker’s device, not the user’s. 

Proofpoint reported the same technique spreading across multiple phishing-as-a-service criminal groups.

Google Threat Intelligence Group documented a separate operator running the same attack through voice phone calls. In one case, the attackers pulled more than a million files from SharePoint and OneDrive before anyone even noticed. 

What this means

So what this means: traditional multi-factor authentication does not stop any of these. Text message codes. Authenticator app prompts. Push notifications you tap. The factor approves correctly. It approves for the wrong owner, though. 

The only category of MFA that closes the gap is called phishing-resistant. Hardware security keys like a YubiKey, or passkeys built into your device. Those bind cryptographically to the real Microsoft domain at the browser level, so a fake login page cannot complete the handshake even if the user wants it to. 

Two actions to take now

So the action this week is two things. Disable OAuth device code flow in Microsoft 365 tenants that do not need it. That is a single conditional access policy. And start moving admin accounts to hardware keys or passkeys. 

NexusTek is a CMMC L2-certified managed service provider serving small and mid-sized businesses across the United States.