The latest email threats: real Microsoft login phishing, device code scams with a kill switch, split-click attacks, and the shift to malware delivery

Over the last month, Barracuda researchers have seen the following email threats targeting organisations and their employees:

• Real Microsoft login phishing used to steal session tokens in Tycoon 2FA attack
• PDF attachments used for device code phishing with a built-in kill switch
• Sneaky 2FA ‘split-click’ phishing attack where one button has two outcomes
• Shift from credential theft to malware delivery in phishing campaigns

Real Microsoft login page used to capture session tokens in Tycoon 2FA attack

How the attack works

Attackers are using a genuine Microsoft login page rather than a fake version to intercept users’ session tokens and access permissions, allowing them to access the victim’s email, online files and linked Microsoft 365 services.

Users receive a legitimate-looking warning that their inbox is nearly full, with a calendar invite to a meeting with Microsoft security. The meeting is not referred to in the main body of the email, which features a button to release emails that have been held back.

The button is a calendar invite that links to a genuine Microsoft login page — but one that is routed through the Tycoon 2FA phishing-as-a-service platform. In essence, the attackers have registered their own Microsoft account and are asking the victim to enter their details into that.

The user enters their credentials and receives a session token, which is captured by the attackers.

In a supplementary step victims are asked to enter their credentials again, but this time into a fake page — allowing attackers to also steal their password.

The techniques used in this Tycoon 2FA-based campaign help to boost the attackers’ chances of success:

• Most phishing attacks rely on imitation pages. Here, attackers use a genuine Microsoft domain, which bypasses many security checks and can even deceive employees trained to spot spoofed URLs.
• The capture of session tokens and OAuth permissions provide the attackers with immediate and persistent access.
• Calendar invites are a rarely monitored attack vector, making them highly effective for bypassing traditional email defences.

For more technical teams:

The weaponised OAuth authorisation stage involves the victim being redirected to a legitimate Microsoft OAuth authorisation registered by the attackers. Researchers observed the following:

• client_id ‘16d628a6-9445-4210-8e5b-527b7c9c6191’: This is a malicious application registered in Microsoft Entra by the attackers. It requests permissions scoped to Outlook and includes ‘offline_access’, which grants a refresh token for persistent access.
• PKCE (code_challenge): The use of a S256 code challenge shows that the attackers’ infrastructure supports Proof Key for Code Exchange (PKCE), making the OAuth flow appear even more legitimate and consistent with modern authentication standards.

PDFs abused for device code phishing attacks with built-in kill switch

How the attack works

The attackers have removed suspicious links from the main body of the phishing email and placed them in a PDF attachment where they are less likely to be spotted by URL scanners.

In the campaign seen by Barracuda researchers, the email asks the recipient to open an attachment relating either to a compliance or payment issue. A link in the PDF takes the users to a fake device authentication flow that captures their credentials and business email address.

Previously reported device code phishing attacks used real Microsoft APIs. In this campaign, the attackers generate fake device codes locally in the browser, mimicking the legitimate device code authorisation flow that victims will recognise from linking apps and devices to their Microsoft accounts.

The use of CAPTCHA blocks automated scanning and sandbox detection and ensures only real users reach the phishing stage.

The campaign is also notable for its short-lived infrastructure. The phishing pages are self-expiring and disappear automatically after a set time. This limits forensic analysis or post event detection.

Sneaky 2FA attack features rare ‘split-click’ technique where one button has two outcomes

How the attack works

Barracuda researchers encountered an email attack featuring a single button that behaved differently depending on where the user clicks.

The email warns users that their mailbox is full, and the message includes a “Resolve Issue” button.

Clicking the top half of the button opens a legitimate Microsoft page, while clicking the bottom half triggers a malicious redirect.

The malicious option opens a blob URL (a browser-generated web page) that redirects via a link to a phishing page belonging to the Sneaky 2FA phishing-as-a-service platform. This is where the attackers capture credentials and other sensitive information.

The split-click interaction is a rarely seen technique. It is used to evade automated link analysis and ensure testing tools can only see the safe version.

Blob URLs are generated dynamically by the browser and are harder to inspect or block using traditional tools.

Emerging tactics: Phishing shifts from credential capture to malware

A steganographic JavaScript disguised as a harmless PDF

Barracuda researchers uncovered a phishing attack where the typical ‘fake invoice’ download turns out to be a malicious script. The attack email appears to be a routine invoice notification, presenting victims with a link to a fake document named “Invoice.pdf (11.3 KB).”

However, instead of delivering an invoice, the link triggers the download of a malicious JavaScript file. The script hides its malicious code in the fake document using steganography and obfuscation. Once executed, it can load additional malware, gather system information, establish persistence, and communicate with attacker-controlled infrastructure.

Impersonation attack delivers fileless malware

In this campaign, the attackers impersonate the Social Security Administration to distribute a malicious JavaScript file disguised as a payment receipt PDF. The heavily obfuscated script reconstructs a hidden URL, retrieves a second-stage payload from a remote server, and executes it directly in memory using Windows ActiveX components.

By avoiding file drops and leveraging in-memory execution, the malware reduces its visibility to traditional security tools and can be used to deliver credential stealers, banking trojans or other malicious payloads.

Multi-step Microsoft impersonation to boost deception

Researchers also observed an attack where an HTML file led the recipient to a fake OneDrive, which in turn took them to an Excel login. This kind of multi-step redirection improves credential theft success rates by effectively hiding malicious intent.

How to stay safe from these attacks

• Protect identities and session tokens, not just passwords.
• Extend detection beyond email to calendar, attachments and login flows.
• Use behavioural detection to catch evasive attacks.
• Invest in attachment and endpoint protection for fileless and embedded threats.
• Enable rapid response, as attacks are short-lived and hard to trace.
• Update training to reflect real-world phishing techniques now bypassing traditional controls.