A sharp rise in phishing campaigns is exploiting Microsoft’s OAuth device code authorization process, allowing cybercriminals and nation-state actors to hijack Microsoft 365 accounts without needing passwords.
Quick Summary – TLDR:
- Hackers are exploiting OAuth device code flow to gain unauthorized access to Microsoft 365 accounts.
- Proofpoint identified multiple threat actors, including financially motivated and Russia-linked groups.
- Phishing kits like SquarePhish2 and Graphish make these attacks easier and more widespread.
- Victims unknowingly authorize malicious apps by entering codes on Microsoft’s legitimate login page.
What Happened?
Security firm Proofpoint has reported a major increase in phishing attacks abusing the OAuth 2.0 device code authorization grant. This method is intended for secure logins on devices with limited input, but hackers are twisting it to bypass login credentials and multi-factor authentication.
Since September 2025, cybercriminals have used fake documents, QR codes, and email lures to trick users into entering codes on Microsoft’s legitimate device login page. Once the code is entered, attackers gain full access to the victim’s Microsoft 365 account.
🚨 Beyond Credential Theft: The New Phishing Technique That Exploits OAuth Device Authorization
— KB4ThreatLabs (@Kb4Threatlabs) December 18, 2025
KnowBe4 ThreatLabs has identified a sophisticated phishing campaign exploiting Microsoft’s OAuth device code authentication. Attackers use Google Cloud Storage to host HTML… pic.twitter.com/hfG87bBBio
Growing Use of Device Code Phishing
While the OAuth device flow was built for convenience, attackers have found a loophole. Instead of stealing passwords, they send phishing emails with QR codes or fake buttons that mimic legitimate alerts like token reauthorization or document sharing.
Once the victim is hooked, they are led to Microsoft’s trusted device login portal. There, they unknowingly enter a code that grants full account access to the attacker-controlled application.
Proofpoint noted a significant spike in these attacks since September 2025, calling the scale “highly unusual.” Campaigns vary slightly in how they trick users, but they all aim to get a code entered on a real Microsoft login page.
Phishing Tools Lower the Barrier for Attackers
Two tools in particular have helped spread these campaigns faster:
- SquarePhish2: An evolved phishing framework that uses QR codes and automates the entire OAuth device code abuse process. It mimics Microsoft’s MFA prompts to appear legitimate.
- Graphish: A freely available phishing kit shared in underground hacking forums. It supports OAuth exploitation, Azure App Registrations, and even adversary-in-the-middle (AiTM) attacks.
Both kits are designed to be easy to use, meaning attackers don’t need advanced technical skills to launch these phishing attacks.
Who’s Behind the Attacks?
Proofpoint identified several threat groups behind these phishing waves:
- TA2723: A financially motivated group that began using OAuth phishing in October 2025. They previously spoofed OneDrive and DocuSign but now trick users with fake salary and benefit documents.
- UNK_AcademicFlare: A suspected Russia-aligned group targeting U.S. and European government, academic, and transportation sectors. They use hacked email accounts to build trust, then send links spoofing OneDrive to lure victims into entering codes.
These actors are exploiting legitimate Microsoft login features to bypass even the most common security measures, including multi-factor authentication.
Why This Matters for Security Teams?
Proofpoint warns that OAuth phishing will likely grow, especially as organizations move toward FIDO-compliant MFA solutions, which ironically make this type of attack more appealing because it avoids password theft altogether.
The company advises organizations to:
- Tighten OAuth app controls.
- Educate users not to enter device codes unless they know the source is safe.
- Monitor for suspicious app authorizations.
SQ Magazine Takeaway
I find this trend genuinely alarming. Hackers are not just getting better at phishing, they’re getting smarter by using Microsoft’s own tools against us. The fact that you can be phished without giving away a password changes the game entirely. If your company relies on Microsoft 365, it’s time to rethink how your team handles authentication requests. Even legitimate-looking logins might be a trap now. Security awareness training needs to include this type of OAuth attack .
