When Legit Is the Trick: Phishing’s Sneaky New Moves. [OMITB]

The episode opens with a deep dive into a new breed of social engineering that hijacks legitimate authentication mechanisms. Threat actors are weaponising Microsoft’s OAuth device‑code flow, presenting users with familiar QR‑code prompts that appear to add a device or app to their Microsoft 365 account. By disguising the request as a routine HR or benefits notification, attackers coax victims into entering a device token, which then grants the adversary unfettered access to the target’s account. This technique sidesteps classic phishing defenses because the URL and login page are genuine Microsoft domains, making traditional URL‑checking and MFA advice less effective.

The conversation shifts to the tooling that has accelerated this threat. Squarefish 2, an evolution of earlier red‑team software, automates the device‑code phishing chain at scale, lowering the skill barrier for cyber‑criminals and flooding the market with high‑volume token‑theft kits. Simultaneously, Microsoft’s DirectSend feature—designed for printers and legacy apps—has been repurposed to send internal‑looking emails without authentication, allowing attackers to spoof trusted senders and increase the credibility of their lures. These developments illustrate how everyday cloud services can be turned against enterprises, amplifying the impact of both e‑crime and nation‑state campaigns.

To counter these sophisticated abuses, experts recommend a layered approach. Blocking the device‑code grant flow where it isn’t required, tightening conditional‑access policies, and enforcing allow‑list controls can stop the token exchange before it succeeds. Complementary user‑training programs must evolve beyond “don’t click suspicious links” to educate staff on recognizing unsolicited token or QR‑code requests and verifying them through out‑of‑band channels. Together, technical safeguards and heightened awareness create a resilient defense against the growing trend of legitimate‑service phishing.