Microsoft 365 account-takeover tradecraft converged this week on auth flows Conditional Access rarely covers — device-code, AiTM, ROPC and manager-impersonation vishing all beat MFA without breaking it
Four separate 2026-W28 disclosures describe one problem: Microsoft 365 account takeover is increasingly achieved not by defeating multi-factor authentication but by choosing an authentication path that Conditional Access commonly fails to gate. Huntress' comparative root-cause analysis of two campaigns made the mechanism explicit — "device code phishing is effective because it doesn't try to beat MFA. It sidesteps it," and in the ROPC-based LSHIY campaign "of the 78 compromised accounts, 55 had active Conditional Access policies requiring MFA" that still failed, because legacy/ROPC authentication through the /token endpoint never reaches the authorization endpoint where CA is enforced (Huntress, 2026-07-10). The same week, ZeroBEC documented Forg365, a Telegram-distributed adversary-in-the-middle phishing-as-a-service kit purpose-built to relay M365 auth and steal session cookies (ZeroBEC, 2026-07-10), and ReliaQuest profiled the Helix data-extortion cluster pairing manager-impersonation vishing with device-code phishing before SharePoint exfiltration (ReliaQuest, 2026-07-10). Read together with the week's ShinyHunters/Odido vishing attribution, the through-line is a maturing, commoditised identity-attack economy targeting the same tenant surface.
Why this is a cross-day pattern, not four items: device-code phishing, AiTM cookie theft, ROPC spraying and impersonation vishing are distinct techniques, but they exploit the same structural gap — a Conditional Access posture that assumes MFA coverage it does not actually enforce across every flow, client-app type and cloud app. A tenant that hardened against one of these this week is not hardened against the others.
Device code phishing is effective because it doesn't try to beat MFA. It sidesteps it.
Of the 78 compromised accounts, 55 had active Conditional Access policies requiring MFA.
Defender actions
- Block the OAuth device-code flow (and ROPC / legacy auth) for every M365 user population that does not require it, and set Conditional Access to fail-closed so an uncovered client-app type or cloud app cannot silently skip MFA.
- Hunt Entra sign-in logs for the sidestep signatures: device-code grants to unmanaged devices, ROPC/
/token-endpoint authentication against Azure CLI, and successful sign-ins from accounts whose CA policy should have required MFA but recorded none.
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.