In the Cloud, there is no firewall. The only thing stopping a hacker from accessing your email (Office 365) from Nigeria is your Identity Provider: Azure AD. Attackers don't "hack" into Azure; they log in.
Device Code Phishing
1. Attacker sends email: "You must update your TV".
2. User clicks link. It shows a code.
3. User logs into legitimate Microsoft page `microsoft.com/devicelogin` and enters code.
4. Result: The User just authenticated the ATTACKER'S session. The attacker now has a valid Refresh Token (good for 90 days) on their Kali Linux machine. MFA is bypassed because the user satisfied it.
1. Illicit Consent Grant
Attackers create a malicious App ("Cool Calendar Optimizer").
They trick users into "Consenting" to give the app permissions: `Read Mail`, `Read Contact`.
It looks like a standard OAuth prompt.
Once clicked, the attacker has permanent API access to the user's email without ever needing their password.
2. Defense: Conditional Access
You must configure CA Policies.
- Block Legacy Auth: Disable IMAP/POP3 (they don't support MFA).
- Geo-Blocking: Block logins from countries you don't do business in.
- Require Compliant Device: Only allow logins from corporate-managed laptops (Intune).