A variety of threat actors are exploiting Microsoft 365 accounts through phishing attacks utilizing the OAuth device code authorization system.

In these attacks, victims are misguided into entering a device code on Microsoft’s authentic login page, unintentionally granting access to an attacker-controlled application. This enables attackers to access the target account without needing to steal credentials or circumvent multi-factor authentication (MFA).

While this technique is not novel, Proofpoint, an email security firm, indicates that there has been a notable rise in such attacks since September. Both financially-motivated cybercriminals like TA2723 and state-sponsored actors are involved.

“Proofpoint Threat Research has noted multiple threat clusters utilizing device code phishing to deceive users into providing attackers access to their Microsoft 365 account,” the firm cautioned. They remarked that widespread campaigns employing these methods are “highly unusual.”

Tools and Campaigns

The attack chains observed by Proofpoint exhibit slight variations, yet all have a common thread: they deceive victims into entering device codes on Microsoft’s legitimate login portals.

In certain instances, the device code appears as a one-time password. Other variations may involve notifications for token reauthorization.

Researchers identified two phishing kits used in these attacks: SquarePhish v1 and v2, as well as Graphish, which streamline the phishing operation.

SquarePhish is a publicly accessible red teaming tool targeting OAuth device grant authorization flows through QR codes, closely mimicking legitimate Microsoft MFA/TOTP setups.

Graphish is a malicious phishing kit that has been circulated in underground forums, facilitating OAuth abuse, Azure App Registrations, and adversary-in-the-middle (AiTM) attacks.

In terms of the campaigns observed by Proofpoint, three were highlighted in the report:

• Salary Bonus Attacks – These campaigns utilize document-sharing lures alongside localized branding to tempt recipients into clicking links leading to attacker-controlled websites. Victims are then instructed to complete “secure authentication” by entering a provided code on the legitimate Microsoft device login page, thus authorizing the attacker-controlled application.

• TA2723 Attacks – This actor is involved in high-volume credential phishing and has previously spoofed platforms such as Microsoft OneDrive, LinkedIn, and DocuSign. They began employing OAuth device code phishing in October. Proofpoint suggests that the initial phases of these campaigns likely utilized SquarePhish2, with subsequent waves potentially moving to the Graphish phishing kit.

• State-Aligned Activity – Since September 2025, a suspected Russia-aligned threat actor identified as UNK_AcademicFlare has been exploiting OAuth device code authorization for account takeovers. This actor leverages compromised government and military email accounts to establish rapport before sharing links that spoof OneDrive, guiding victims through a device code phishing process. The activity primarily targets government, academic, think tank, and transportation sectors in the U.S. and Europe.

To combat these attacks, Proofpoint advises organizations to utilize Microsoft Entra Conditional Access where feasible and to consider implementing policies regarding sign-in origin.

Broken IAM isn’t just an IT challenge – the repercussions extend throughout your entire organization.

This practical guide explores why traditional IAM practices struggle to meet modern needs, showcases what effective IAM looks like, and provides a straightforward checklist for developing a scalable strategy.

Get the guide