INTEL-5: Your Microsoft Login Page Is the Phishing Page

Posted on March 11, 2026 • 4 min read • 719 words
Identity Security   Microsoft 365   Entra ID   OAuth   Phishing   MITRE ATT&CK   CrowdStrike   Cloud Security  
Identity Security   Microsoft 365   Entra ID   OAuth   Phishing   MITRE ATT&CK   CrowdStrike   Cloud Security  
Share via
Nation-state adversaries from Russia and Iran are weaponizing Microsoft’s own authentication infrastructure — Entra ID, OAuth 2.0, and device code flows — to gain persistent access that traditional security controls cannot detect.
The INTEL   How It Works   Why It Matters   What To Do   MITRE ATT&CK   Learn More  
INTEL-5: Your Microsoft Login Page Is the Phishing Page

The INTEL  

Nation-state adversaries have turned Microsoft’s own authentication infrastructure into the attack platform. Not fake login pages. Not lookalike domains. The real thing.

CrowdStrike’s 2026 Global Threat Report documents Russia and Iran independently converging on the same strategy: exploit the trust organizations place in Microsoft identity services — Entra ID, OAuth 2.0, and device code authentication — to gain persistent access that traditional security controls cannot detect.

The phishing page your employees land on? It’s login.microsoftonline.com. The authentication flow? Legitimate. The domain? Microsoft’s. There is nothing for your URL filter to catch.

How It Works  

OAuth Device Code Phishing: A trusted contact reaches out via messaging — someone the target actually knows (or believes they know). They ask the victim to enter a device code on Microsoft’s legitimate authentication portal. The victim authenticates normally. The adversary captures the access and refresh tokens — gaining persistent access without ever needing the password.

Adversary-in-the-Middle (AiTM): Iran-nexus adversaries deployed the EvilGinx2 toolkit against Israeli Microsoft 365 users in November 2025. The phishing kit acts as a real-time reverse proxy — sitting between the victim and Microsoft’s actual login page. The victim sees Microsoft’s legitimate interface. The adversary intercepts credentials and session tokens in real time, bypassing MFA entirely.

Conditional Access Bypass: In one documented case, a Russian adversary spent multiple hours across three days systematically testing an organization’s conditional access policies — registering devices with various naming conventions, attempting authentication across different applications, probing for policy weaknesses. They eventually established persistence through Windows Hello for Business and passwordless phone sign-in.

Why It Matters  

Every one of these techniques uses legitimate Microsoft authentication infrastructure. Your security tools trust Microsoft’s login pages. Your conditional access policies assume the authentication flow is secure. Your employees are trained to verify they’re on the correct domain — and they are.

Today, Iran is targeting Israeli M365 users. The technique works against any M365 tenant, anywhere. There is no technical barrier preventing the same toolkit from being pointed at US organizations tomorrow. The phishing infrastructure is language-agnostic — swap Hebrew lures for English ones, and the same attack chain works against any enterprise running Microsoft 365.

The attack surface extends beyond user identities. Adversaries are increasingly targeting workload identities — service accounts, application credentials, and API keys — which often have elevated privileges but weaker security controls than human accounts.

What To Do  

  • Deploy phishing-resistant MFA — FIDO2 security keys or certificate-based authentication. Token-based methods (authenticator apps, SMS) are bypassed by AiTM proxies.
  • Monitor OAuth token activity — Flag unusual token grants, especially device code flows initiated outside normal business patterns. Alert on refresh token usage from unexpected locations or ASNs.
  • Audit conditional access policies for bypass paths — Adversaries systematically probe for gaps. Test your own policies the way an attacker would: What happens if someone registers a new device? What applications are excluded? What flows don’t require compliant devices?
  • Monitor non-human identities — Service accounts, app registrations, and API keys with elevated privileges are increasingly targeted. Apply the same scrutiny to workload identities as human ones.
  • Restrict device code authentication — If your organization doesn’t use device code flows for legitimate purposes, disable them. If you do, monitor them aggressively.

MITRE ATT&CK  

  • T1621 — Multi-Factor Authentication Request Generation: Device code phishing via legitimate Microsoft OAuth 2.0 flows
  • T1557 — Adversary-in-the-Middle: Real-time proxy intercepting credentials and session tokens through Microsoft’s actual login pages
  • T1078.004 — Valid Accounts: Cloud Accounts: Persistent access via captured OAuth tokens — no password needed
  • T1556 — Modify Authentication Process: Conditional access policy bypass through systematic device registration
  • T1528 — Steal Application Access Token: Access and refresh token capture enabling lateral movement

Learn More  

Coming Friday the 13th: FIR Risk Tuesday E83 — The Convergence. CrowdStrike’s full 2026 Global Threat Report breakdown — the 27-second breakout time, the $1.46B supply chain heist, and why three major security vendors are all saying the same thing.

Powered by FIR Risk Platform — AI-driven threat intelligence for enterprise risk leaders.

On this page: