3 OAuth TTPs Seen This Month — and How to Detect Them with Entra ID Logs

3 OAuth TTPs Seen This Month — and How to Detect Them with Entra ID Logs

OAuth 2.0 is a widely used authorization framework that enables third-party applications to access user resources without exposing credentials. However, like any technology, it is susceptible to various threats. In this post, I’ll walk you through three OAuth Threat Tactics, Techniques, and Procedures (TTPs) that I’ve seen this month and how to detect them using Entra ID logs. What are TTPs in the context of OAuth? TTPs, or Threat Tactics, Techniques, and Procedures, are the methods attackers use to exploit OAuth vulnerabilities. Understanding these TTPs is crucial for implementing effective security measures and protecting your applications. ...

Jul 17, 2026 · 6 min · 1178 words · IAMDevBox
OAuth Device Code Flow Security: How to Detect and Prevent Device Code Phishing

OAuth Device Code Flow Security: How to Detect and Prevent Device Code Phishing

OAuth’s Device Authorization Grant (RFC 8628) was designed for TVs, CLIs, and IoT devices that can’t open a browser. Unfortunately, attackers have turned it into one of the most effective MFA-bypass techniques of 2024–2026, targeting thousands of Microsoft 365 organizations per campaign. This guide explains how the attack works at the protocol level and gives you specific, actionable steps to block it in every major identity platform. How Device Code Phishing Works (Protocol-Level) The Device Authorization Grant flow involves three parties: the device (attacker’s script), the authorization server (Microsoft, your IdP), and the user. Here’s the normal flow — and where attackers hijack it: ...

Jun 03, 2026 · 7 min · 1454 words · IAMDevBox