25-12-29, 4:07 p.m.

Cybercriminals are exploiting Microsoft 365’s device code authentication to gain unauthorized access to accounts. Phishing campaigns trick users into entering codes on legitimate login portals, bypassing security measures.

Cybercriminals are constantly evolving their tactics to bypass traditional security measures, and Microsoft 365 users are now at risk from a new and sophisticated attack method: OAuth device code phishing. This attack leverages a legitimate Microsoft feature—the OAuth 2.0 device authorization flow—intended to help devices with limited input options. Threat actors, however, exploit it to gain unauthorized access to M365 accounts. By tricking users into entering device codes on official Microsoft login pages, attackers can take over accounts, steal sensitive data, and move laterally across networks.

Multiple threat groups, ranging from financially motivated hackers to state-backed actors, are running these campaigns. Phishing emails are crafted to appear as legitimate notifications, often including links, buttons, or QR codes. When users interact with these emails, they are directed to fake pages that generate device codes. 

Users are then instructed to enter these codes on Microsoft’s real verification portal. Because the portal itself is genuine, traditional security measures may not detect the attack, giving hackers full control over compromised accounts.

Researchers at Proofpoint have identified two major tools driving these attacks:

• SquarePhish2, which automates the OAuth device authorization process using QR codes and attacker-controlled servers, enabling even less skilled attackers to run large-scale campaigns.

• Graphish, which uses Azure App Registrations and reverse proxy servers to create fake login pages capable of capturing credentials and session tokens, even when multi-factor authentication is enabled.

Both financially motivated and state-aligned actors have adopted these techniques, targeting government officials, researchers, university staff, and corporate employees. The widespread nature of these attacks underscores the importance of proactive security measures.

How Organizations Can Protect Themselves:

• Implement Conditional Access policies to block or restrict device code authentication flows.

• Require sign-ins only from compliant or registered devices.

• Educate users on the risks of entering device codes from untrusted sources.

At Upside Business Technologies, we understand that cyber threats are evolving faster than ever. Our team specializes in protecting businesses from sophisticated attacks like OAuth device code phishing. We help organizations implement robust security policies, monitor for suspicious activity, and train staff to recognize emerging threats before they cause damage.

Cybersecurity isn’t optional, it’s essential. Don’t let hackers exploit the tools you rely on every day.