Threat actors are now targeting Microsoft 365 accounts using a growing attack method known as OAuth device code phishing.
This technique takes advantage of the OAuth 2.0 device authorization flow, a legitimate Microsoft feature designed for devices with limited input options.
Attackers trick users into entering codes on authentic Microsoft login pages, which grants them unauthorized access to M365 accounts.
Once inside, hackers can take over accounts, steal sensitive data, and move across networks.
Multiple threat groups are behind these attacks, ranging from financially motivated criminals to state-backed hackers.
They use phishing messages with URLs embedded in buttons, hyperlinks, or QR codes to start the attack.
.webp "Hackers Using Phishing Tools to Access M365 Accounts via OAuth Device Code 3")
When victims click these links, they land on fake pages that display device codes. These codes are disguised as one-time passwords or security tokens, pushing users to enter them on Microsoft’s legitimate verification page at microsoft.com/devicelogin.
By September 2025, these campaigns became widespread, marking a sharp increase from earlier targeted attacks.
Proofpoint researchers identified two main tools driving these campaigns. SquarePhish2, an updated version of an older phishing framework, automates the OAuth device authorization process using QR codes and attacker-controlled servers.
The tool sends victims a fake authentication email, followed by a second message containing the device code.
Its easy setup allows even less skilled attackers to run large-scale operations. The Graphish phishing kit operates differently by creating fake login pages through Azure App Registrations and reverse proxy servers.
.webp "Hackers Using Phishing Tools to Access M365 Accounts via OAuth Device Code 4")
This approach enables adversary-in-the-middle attacks that capture both login credentials and session tokens when users complete multi-factor authentication challenges.
Attack Workflow and Technical Execution
The attack begins when users receive phishing emails that appear to be document sharing notifications or account security alerts. These messages come from compromised email addresses or attacker-controlled domains designed to look legitimate.
Clicking the embedded link redirects victims to a phishing page that mimics Microsoft services. The page asks users to enter their email address, which triggers the OAuth device authorization flow on Microsoft’s infrastructure.
A unique device code is then generated and displayed on the fake page. The user receives instructions to visit microsoft.com/devicelogin and enter this code.
Since this is Microsoft’s real authentication portal, users often trust the process. Once they enter the code and authenticate, the attacker’s application polls Microsoft’s servers and receives an access token.
This token provides the threat actor with full control over the victim’s M365 account. The entire process takes advantage of legitimate Microsoft services, making detection extremely difficult through traditional security measures.
Proofpoint analysts noted that threat actor TA2723, a financially motivated group known for high-volume credential phishing, started using OAuth device code attacks in October 2025.
The group sent emails claiming to contain salary documents with URLs leading to device code authorization pages.
State-aligned actors have also adopted this technique, with suspected Russia-aligned group UNK_AcademicFlare conducting sophisticated social engineering campaigns.
.webp "Hackers Using Phishing Tools to Access M365 Accounts via OAuth Device Code 5")
They use compromised government email addresses to build trust before sending Cloudflare Worker URLs that spoof OneDrive accounts.
These URLs redirect victims to device code phishing workflows designed to steal credentials from government officials, think tank researchers, and university staff.
Organizations can defend against these attacks by creating Conditional Access policies that block device code authentication flows completely or limit them to approved users and IP ranges.
Requiring sign-ins from compliant or registered devices also prevents unauthorized access. User training needs to shift from traditional phishing awareness to emphasizing the danger of entering device codes from untrusted sources.
The abuse of legitimate authentication mechanisms shows how threat actors continue adapting their tactics to bypass modern security controls.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
