microsoft

New ConsentFix Attack Hijacks Microsoft Accounts Via Azure CLI

ConsentFix attack hijacks Microsoft accounts via Azure CLI without passwords or MFA. It tricks users into submitting OAuth codes through a fake CAPTCHA on compromised sites, giving attackers full access to accounts using Azure authentication. Monitoring for unusual Azure CLI activity is recommended to detect this threat.

https://www.bleepingcomputer.com/news/security/new-consentfix-attack-hijacks-microsoft-accounts-via-azure-cli/

Malicious VSCode Extensions on Microsoft’s Registry Drop Infostealers

Two malicious extensions in Microsoft's Visual Studio Code Marketplace, named Bitcoin Black and Codo AI, infect developers' computers with malware that can steal credentials, screenshots, and cryptocurrency. Codo AI appears as an AI assistant, while Bitcoin Black masquerades as a color theme. Both can execute harmful scripts and have been flagged by antivirus engines. Microsoft has since confirmed their removal from the marketplace. Developers are advised to only install extensions from reputable sources.

https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-on-microsofts-registry-drop-infostealers/

CVE-2025-50165: Windows Graphics Component Flaw

CVE-2025-50165 is a critical remote code execution flaw in the Windows Graphics Component, specifically in windowscodecs.dll. It allows an attacker to exploit Windows systems via a malicious JPEG image embedded in standard documents. The vulnerability affects recent versions of Windows, including Server 2025 and Windows 11 24H2, but was patched by Microsoft in August 2025. Users are advised to apply the updates immediately. Zscaler ThreatLabz has also released protection for this vulnerability.

https://www.zscaler.com/blogs/security-research/cve-2025-50165-critical-flaw-windows-graphics-component

Microsoft: Azure Hit by 15 Tbps DDoS Attack Using 500,000 IP Addresses

Microsoft's Azure was targeted by a 15.72 Tbps DDoS attack from the Aisuru botnet, utilizing over 500,000 IP addresses, and employing high-rate UDP floods, peaking at 3.64 billion packets per second. Aisuru, a Turbo Mirai-class botnet, exploits vulnerabilities in IoT devices, significantly growing in size after breaching a router firmware update server. This attack follows other DDoS incidents linked to the same botnet, and highlights ongoing security challenges with IoT devices.

https://www.bleepingcomputer.com/news/microsoft/microsoft-aisuru-botnet-used-500-000-ips-in-15-tbps-azure-ddos-attack/

Quantum Route Redirect PhaaS Targets Microsoft 365 Users Worldwide

Quantum Route Redirect, a new phishing automation platform, uses around 1,000 domains to steal Microsoft 365 credentials, primarily targeting users in the U.S. It automates phishing attacks by routing victims to malicious sites through deceptive emails. The kit is designed for ease of use, even for less skilled attackers, and incorporates mechanisms to evade detection by automated security tools. Security analysts recommend implementing robust URL filtering to combat this threat.

https://www.bleepingcomputer.com/news/security/quantum-route-redirect-phaas-targets-microsoft-365-users-worldwide/

Anatomy of Tycoon 2FA Phishing: Tactics Targeting M365 and Gmail

Tycoon 2FA Phishing Kit Overview:
Emerging in August 2023, Tycoon 2FA is a sophisticated phishing threat leveraging multi-factor authentication (MFA) bypass techniques, primarily targeting Microsoft 365 and Gmail users. With over 64,000 incidents reported in 2025, it employs a Phishing-as-a-Service platform to capture user credentials via a reverse proxy and deceptive login pages. The attack exploits various distribution methods, including PDFs, and evades detection with anti-research mechanisms and real-time MFA code capture. Enhanced security measures and user education are essential to mitigate risks associated with Tycoon 2FA.

https://gbhackers.com/tycoon-2fa-phishing/

Exploiting Microsoft Teams: Impersonation and Spoofing Vulnerabilities Exposed Microsoft Teams Vulnerabilities Uncovered

Extreme TLDR: Check Point Research uncovered vulnerabilities in Microsoft Teams allowing impersonation, message manipulation, and notification spoofing by both outsiders and insiders, risking trust and security for over 320 million users. Microsoft fixed these in 2024-2025 after responsible disclosure. Effective defense requires multi-layered security, user training, and awareness of social engineering threats.

https://research.checkpoint.com/2025/microsoft-teams-impersonation-and-spoofing-vulnerabilities-exposed/

OAuth Device Code Phishing: Azure Vs. Google Compared

Extreme TLDR: Microsoft and Google implement OAuth 2.0’s device code flow differently, affecting phishing attack vulnerabilities. Microsoft's setup allows attackers to gain significant access via device code phishing by utilizing legitimate API flows, leading to dangerous token generation. Google's implementation limits potential damages due to restricted scopes and client ID controls, making successful exploitation challenging.

https://www.bleepingcomputer.com/news/security/oauth-device-code-phishing-azure-vs-google-compared/

Sneaky Mermaid Attack in Microsoft 365 Copilot Steals Data

Microsoft fixed a security vulnerability in Microsoft 365 Copilot that allowed data theft through indirect prompt injection attacks. A researcher discovered the flaw leveraging Mermaid diagrams, enabling sensitive email data to be exfiltrated. Microsoft confirmed the patch but did not award the researcher a bug bounty since Copilot is not eligible for their reward program.

https://www.theregister.com/2025/10/24/m365_copilot_mermaid_indirect_prompt_injection/

Microsoft 365 Copilot – Arbitrary Data Exfiltration via Mermaid Diagrams

TL;DR: Microsoft 365 Copilot allowed data exfiltration via mermaid diagrams through an indirect prompt injection, fetching sensitive information (e.g., emails) and encoding it in a clickable “login button.” Clicking the button sent the data to an attacker's server. The vulnerability was confirmed and subsequently patched by Microsoft.

https://www.adamlogue.com/microsoft-365-copilot-arbitrary-data-exfiltration-via-mermaid-diagrams-fixed/

One Token to Rule Them All

Dirk-jan Mollema, an infosec researcher, discusses a significant vulnerability in Microsoft's Entra ID that allows attackers to gain Global Admin access in any tenant using undocumented “Actor tokens.” This flaw arises from a defect in the Azure AD Graph API, which fails to validate originating tenants, enabling cross-tenant access with impersonation tokens. After reporting it to Microsoft, the vulnerability was swiftly fixed. The implications include potential full control over any Entra ID tenant, with minimal logging or detection capabilities, fundamentally highlighting design flaws in token management and security protocols.

https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/

Microsoft Isn’t Fixing 8-year-old Zero Day Used for Spying

Microsoft is ignoring an 8-year-old Windows exploit involving .LNK shortcut files used for surveillance, treating it as a low-priority issue despite its effectiveness in espionage. Trend Micro discovered the flaw, which allows attackers to hide malicious commands, affecting mainly state-sponsored actors from countries like North Korea and Russia. Microsoft claims it's a user-interface issue rather than a security threat, suggesting a possible fix in future updates but no immediate action.

https://www.theregister.com/2025/03/18/microsoft_trend_flaw/

Botnet Targets Basic Auth in Microsoft 365 Password Spray Attacks

Botnet of 130,000 devices targets Microsoft 365 via password-spray attacks on Basic Authentication, evading multi-factor authentication. Attackers use stolen credentials to exploit Basic Auth, which transmits credentials in plaintext and bypasses MFA. Security experts recommend disabling Basic Auth and strengthening access controls to mitigate risks. Possible links to Chinese threat actors have been identified.

https://www.bleepingcomputer.com/news/security/botnet-targets-basic-auth-in-microsoft-365-password-spray-attacks/

Microsoft February 2025 Patch Tuesday Fixes 4 Zero-days, 55 Flaws

Microsoft's February 2025 Patch Tuesday includes security updates for 55 vulnerabilities, with 4 zero-day flaws, two of which are actively exploited. Highlights are 19 elevation of privilege and 22 remote code execution vulnerabilities. Specific zero-days addressed include one posing file deletion risks (CVE-2025-21391) and another granting SYSTEM privileges (CVE-2025-21418). Publicly disclosed zero-days include a UEFI bypass (CVE-2025-21194) and NTLM hash disclosure vulnerability (CVE-2025-21377). Additional updates were also released by other companies, such as Adobe and Google.

https://www.bleepingcomputer.com/news/microsoft/microsoft-february-2025-patch-tuesday-fixes-4-zero-days-55-flaws/

Scroll to Top