Threat actors are increasingly targeting Microsoft 365 (M365) accounts by exploiting a sophisticated phishing technique known as OAuth device code phishing. This method leverages a legitimate Microsoft feature, the OAuth 2.0 device authorization flow, to trick users into granting unauthorized access to their accounts. Attackers are using this growing attack vector to steal sensitive data, compromise user accounts, and facilitate further network breaches.
The widespread adoption of this attack method was noted by cybersecurity researchers, with campaigns becoming particularly prevalent by September 2025. Multiple threat groups, ranging from financially motivated cybercriminals to state-affiliated actors, are employing this tactic. Phishing messages, often embedded with URLs in buttons, hyperlinks, or QR codes, instigate the attack, luring victims into a deceptive process.
Understanding OAuth Device Code Phishing for M365 Security
The core of the OAuth device code phishing attack lies in its manipulation of the legitimate OAuth 2.0 device authorization flow. This flow is designed for devices with limited input capabilities, allowing users to authenticate with a service by entering a code on a separate, trusted device. Attackers exploit this by presenting victims with what appears to be a required security step, often disguised as a one-time password or security token.
Victims are typically directed to fake web pages that display these codes. They are then prompted to visit Microsoft’s genuine verification portal, microsoft.com/devicelogin, and input the provided code. Because the destination is an official Microsoft page, many users perceive the process as legitimate and proceed with authentication. This action, however, grants the attacker’s application an access token, effectively handing over control of the M365 account.
A key challenge with this attack is its reliance on legitimate Microsoft services. This makes detection extremely difficult for traditional security measures, which often monitor for suspicious external domains or known malicious IPs. The attack workflow begins with phishing emails that mimic legitimate communications, such as document sharing notifications or account security alerts. These emails may originate from compromised accounts or domains designed to appear authoritative.
Once a user clicks the malicious link, they are taken to a phishing page that imitates Microsoft services. After entering their email address, the OAuth device authorization flow is initiated on Microsoft’s infrastructure. A unique device code is then generated and shown on the fake page. The instructions to enter this code on the official Microsoft login page are crucial to the attack’s success.
Upon successful authentication with the device code, the attacker’s application can poll Microsoft’s servers for an access token. This token grants the threat actor extensive control over the victim’s M365 environment.
Proofpoint researchers have identified specific tools facilitating these campaigns. SquarePhish2, an updated phishing framework, automates the OAuth device authorization process, employing QR codes and attacker-controlled servers. This tool simplifies the attack for less experienced threat actors, enabling large-scale operations. Another identified kit, Graphish, creates fake login pages through Azure App Registrations and reverse proxy servers, facilitating adversary-in-the-middle attacks that can capture both credentials and session tokens.
Threat Actor Activities and Detection Challenges
Several threat groups are actively employing OAuth device code phishing. Proofpoint analysts noted that TA2723, a financially motivated group, began utilizing these attacks in October 2025, sending emails purportedly containing salary documents. These emails contained URLs leading to device code authorization pages.
State-aligned actors have also adopted this technique. The suspected Russia-aligned group UNK_AcademicFlare has conducted sophisticated social engineering campaigns using compromised government email addresses. These campaigns often link to Cloudflare Worker URLs that spoof OneDrive accounts and redirect victims to device code phishing workflows, specifically targeting government officials, think tank researchers, and university staff.
The effectiveness of this attack vector poses significant defense challenges. Traditional security tools may not flag the use of legitimate Microsoft login pages or the initial phishing emails as outright malicious, making user vigilance and advanced security configurations paramount.
Defensive Strategies Against OAuth Device Code Attacks
Organizations can implement several measures to defend against these evolving threats. Microsoft’s Conditional Access policies offer robust controls. Creating policies that completely block device code authentication flows can prevent these attacks. Alternatively, policies can be configured to limit these flows to approved users and specific IP address ranges, significantly reducing the attack surface.
Requiring sign-ins from compliant or registered devices through Conditional Access further strengthens defenses by preventing unauthorized access attempts. Beyond technical controls, user education is critical. Security awareness training needs to evolve from recognizing traditional phishing indicators to emphasizing the dangers of entering device codes from untrusted sources.
The ongoing abuse of legitimate authentication mechanisms highlights the adaptive nature of threat actors. As security controls mature, attackers are finding innovative ways to bypass them by exploiting trusted workflows. The widespread use of OAuth device code phishing indicates that organizations must remain vigilant and continuously update their security postures to counter these sophisticated threats.