Beware! Hackers Are Exploiting OAuth Device Code to Scam Microsoft 365 Users

Hackers are abusing a legitimate Microsoft authentication feature to break into enterprise Microsoft 365 accounts, even when multifactor authentication is enabled.

Security researchers warn that attackers have begun exploiting Microsoft’s OAuth 2.0 device authorization flow, a process designed for devices like smart TVs or IoT hardware with limited input options. By misusing this workflow, attackers can gain direct account access without stealing passwords or intercepting MFA codes.

How the OAuth device code attack works

The phishing campaigns rely on tricking users into entering a device code on Microsoft’s real verification page. Victims receive messages presenting the code as a one-time password or urgent verification request.

Once the user enters the code, Microsoft’s system authorizes an access token for the attacker. This immediately grants control of the victim’s account, allowing data theft, lateral movement across corporate systems, and persistent long-term access to enterprise resources.

Because the login occurs on a legitimate Microsoft domain, many traditional phishing detection tools fail to flag the activity.

Widespread campaigns and state-backed activity

Researchers from Proofpoint have tracked multiple threat clusters using this technique since at least September 2025. These include both financially motivated cybercriminals and state-aligned actors.

Two phishing toolkits dominate these campaigns:

• SquarePhish2, which includes QR code-based lures
• Graphish, which automates the OAuth device code attack process

Financially motivated groups, such as TA2723, use themes like salary updates, benefits notices, and document sharing to lure victims. Proofpoint also identified Russia-aligned operations, including UNK_AcademicFlare, using similar methods.

Why is this attack hard to stop

This technique highlights a broader shift in cybercrime. Instead of stealing credentials, attackers now exploit modern authentication workflows themselves. Since MFA remains technically “enabled,” organizations may overlook the breach until significant damage occurs.

Experts warn enterprises must monitor OAuth device code usage closely, restrict unnecessary authentication flows, and educate users never to enter unsolicited verification codes, even on legitimate login pages.

This is why Microsoft has introduced the In Scope by Default plan in order to catch exploits such as this faster in the future.

Via CSO Online