Security researchers warn that threat groups are exploiting Microsoft's OAuth device code authentication to bypass multi-factor protection and hijack enterprise accounts. The technique, with widespread campaigns observed since September 2025, allows attackers to gain persistent access to Microsoft 365 environments without stealing passwords or intercepting authentication codes.
Proofpoint researchers identified widespread campaigns using the OAuth 2.0 device authorization flow, a legitimate Microsoft feature designed for devices with limited input capabilities like smart TVs and IoT hardware. Attackers trick users into entering device codes on Microsoft's real verification page at microsoft.com/devicelogin, instantly granting unauthorized account access.
The phishing campaigns direct victims to legitimate Microsoft domains, bypassing traditional URL filters and user suspicion. According to Proofpoint analysis, attackers send emails containing unique codes disguised as one-time passwords or security verification requests, often using themes like salary updates, benefits notices, or document sharing.
Financially motivated group TA2723 began using OAuth device code attacks in October 2025, while Russia-aligned threat actor UNK_AcademicFlare has conducted similar campaigns since September. Both groups target government, military, think tank, and higher education sectors across the United States and Europe.
Attackers use off-the-shelf toolkits like SquarePhish2 and Graphish to industrialize operations. SquarePhish2 automates OAuth device authorization using QR codes and attacker-controlled servers, while Graphish creates convincing phishing pages through Azure App Registrations and reverse proxy setups.
Successful exploitation yields refresh tokens that provide persistent account access, enabling data theft, lateral movement across corporate networks, and long-term compromise. The technique represents a major evolution in phishing, shifting from password theft to abuse of trusted authentication workflows.
Microsoft faces a challenge because the device code flow is a standard feature, not a software bug that can be patched. Disabling it entirely would break functionality for legitimate devices like conference room equipment and smart displays.
Security experts recommend creating Conditional Access policies to block device code flow for all users or restrict it to approved users, operating systems, and IP ranges. Organizations should also require sign-ins from compliant or registered devices as an additional defense layer.
User awareness training must evolve beyond traditional URL checking, since these attacks use legitimate Microsoft domains. Employees need education about the danger of entering device codes from untrusted sources, even on authentic login pages.
The surge in device code phishing campaigns marks a shift from targeted operations to widespread attacks, with both state-sponsored and financially motivated actors adopting the technique. Security teams must monitor OAuth authorizations closely and extend protection to mobile endpoints where many lures reach users through QR codes and SMS.
