Financial Spear Phishing Digest

OAuth/OIDC consent & token abuse + QR AiTM escalation + Chinese PhaaS evolution

OAuth/OIDC consent & token abuse + QR AiTM escalation + Chinese PhaaS evolution

Key Questions

What is device code phishing and how does it target Microsoft authentication flows?

Device code phishing tricks users into entering one-time codes or authorizing devices on fake Microsoft login pages, allowing attackers to capture tokens without needing passwords. Related articles from Kaspersky and others describe campaigns abusing legitimate Microsoft infrastructure for this purpose.

How are PhaaS platforms like Tycoon2FA and Kali365 abusing OAuth device-code flows?

These platforms use a 4-step sequence involving OAuth consent abuse to bypass MFA and steal tokens, with FBI-sourced IOCs and conditional access policy bypasses noted. Recent red-team testing has identified new unauthenticated Azure AD enumeration vectors.

What new AI capabilities does Kali365 integrate for BEC attacks?

Kali365 now uses Claude AI to read victim inboxes, score fraud potential, and generate contextually accurate payment requests from compromised legitimate accounts. This bypasses traditional email authentication and BEC detection after OAuth token theft.

How are Chinese PhaaS gangs evolving their attack methods?

They employ real-time tokenization, AI-driven page generation, and encrypted delivery via RCS/iMessage, expanding to platforms like AWS, Okta, and MAX Messenger while targeting financial entities. Arctic Wolf identified 126 malicious hosts linked to these operations.

What role does QR code phishing play in recent MFA bypass trends?

MS QR code usage has surged 146% with over 8.3 billion scans in Q1, often abused in AiTM attacks alongside malicious PDFs and AI kits from vendors like Barracuda. This escalates token theft risks when combined with consent abuse.

MS QR +146% (8.3B Q1); Barracuda 70% malicious PDFs/90% AI kits. EvilTokens/VENOM/Tycoon/UNC6692: MFA bypass, cookie theft, Teams/SNOW imp. Tycoon2FA and new Kali365 PhaaS abuse legitimate OAuth device-code flows (4-step sequence, FBI-sourced IOCs, conditional access policies). New: unauthenticated Azure AD enumeration and novel device-code attack vectors (red-team tested TTPs and defenses). Recent article (2026-06-24) from security experts reinforces OAuth device-code abuse with FBI-sourced IOCs and Arctic Wolf analysis, adding concrete TTPs and pricing. Also: Chinese PhaaS gangs evolving with real-time tokenization, AI-driven page generation, and encrypted delivery channels (RCS/iMessage) targeting non-Chinese financial entities; FBI advisory on Kali365 confirms finance sector targeting. Latest: Kali365 expands to AWS, Okta, and Russian platforms (MAX Messenger); Arctic Wolf identified 126 malicious hosts; FBI PSA underscores threat to financial orgs. New: Kali365 now integrates Claude AI to automate BEC from victims' own inbox after OAuth token theft – AI reads threads, scores fraud potential, and sends contextually perfect payment requests from legitimate accounts, bypassing email authentication and traditional BEC detection. New: Varonis study on AI agent phishing demonstrates OAuth consent trap scenarios under urgency, directly relevant to financial orgs adopting AI agents; reinforces need for verification layers beyond prompt instructions. Red team report (2026-06-24) shows AI phishing + ClickFix + MFA bypass chain in 5 minutes, highlighting rapid token theft risk. New: Two additional device-code phishing campaigns detailed – one from Kaspersky (PDF+CAPTCHA+Microsoft login flow) and another from April-May 2026 (password-protected PDF, CAPTCHA, redirect to legitimate Microsoft login). Both reinforce the need to disable device-code flow and highlight that MFA does not protect against this technique.

Sources (4)
Updated Jul 7, 2026