SQ Magazine

Smarter Insights for a Fast-Moving Digital World

Surge in Microsoft 365 Attacks as Hackers Abuse OAuth Device Code Flow

Published on: December 19, 2025
As Featured In
The New York Times LogoForbes LogoWired LogoDeloitte LogoResearch.com Logo

A sharp rise in phishing campaigns is exploiting Microsoft’s OAuth device code authorization process, allowing cybercriminals and nation-state actors to hijack Microsoft 365 accounts without needing passwords.

Quick Summary – TLDR:

  • Hackers are exploiting OAuth device code flow to gain unauthorized access to Microsoft 365 accounts.
  • Proofpoint identified multiple threat actors, including financially motivated and Russia-linked groups.
  • Phishing kits like SquarePhish2 and Graphish make these attacks easier and more widespread.
  • Victims unknowingly authorize malicious apps by entering codes on Microsoft’s legitimate login page.

What Happened?

Security firm Proofpoint has reported a major increase in phishing attacks abusing the OAuth 2.0 device code authorization grant. This method is intended for secure logins on devices with limited input, but hackers are twisting it to bypass login credentials and multi-factor authentication.

Since September 2025, cybercriminals have used fake documents, QR codes, and email lures to trick users into entering codes on Microsoft’s legitimate device login page. Once the code is entered, attackers gain full access to the victim’s Microsoft 365 account.

Growing Use of Device Code Phishing

While the OAuth device flow was built for convenience, attackers have found a loophole. Instead of stealing passwords, they send phishing emails with QR codes or fake buttons that mimic legitimate alerts like token reauthorization or document sharing.

Once the victim is hooked, they are led to Microsoft’s trusted device login portal. There, they unknowingly enter a code that grants full account access to the attacker-controlled application.

Proofpoint noted a significant spike in these attacks since September 2025, calling the scale “highly unusual.” Campaigns vary slightly in how they trick users, but they all aim to get a code entered on a real Microsoft login page.

Phishing Tools Lower the Barrier for Attackers

Two tools in particular have helped spread these campaigns faster:

  • SquarePhish2: An evolved phishing framework that uses QR codes and automates the entire OAuth device code abuse process. It mimics Microsoft’s MFA prompts to appear legitimate.
  • Graphish: A freely available phishing kit shared in underground hacking forums. It supports OAuth exploitation, Azure App Registrations, and even adversary-in-the-middle (AiTM) attacks.

Both kits are designed to be easy to use, meaning attackers don’t need advanced technical skills to launch these phishing attacks.

Newsletter
Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

Who’s Behind the Attacks?

Proofpoint identified several threat groups behind these phishing waves:

  • TA2723: A financially motivated group that began using OAuth phishing in October 2025. They previously spoofed OneDrive and DocuSign but now trick users with fake salary and benefit documents.
  • UNK_AcademicFlare: A suspected Russia-aligned group targeting U.S. and European government, academic, and transportation sectors. They use hacked email accounts to build trust, then send links spoofing OneDrive to lure victims into entering codes.

These actors are exploiting legitimate Microsoft login features to bypass even the most common security measures, including multi-factor authentication.

Why This Matters for Security Teams?

Proofpoint warns that OAuth phishing will likely grow, especially as organizations move toward FIDO-compliant MFA solutions, which ironically make this type of attack more appealing because it avoids password theft altogether.

The company advises organizations to:

  • Tighten OAuth app controls.
  • Educate users not to enter device codes unless they know the source is safe.
  • Monitor for suspicious app authorizations.

SQ Magazine’s Takeaway

I find this trend genuinely alarming. Hackers are not just getting better at phishing, they’re getting smarter by using Microsoft’s own tools against us. The fact that you can be phished without giving away a password changes the game entirely. If your company relies on Microsoft 365, it’s time to rethink how your team handles authentication requests. Even legitimate-looking logins might be a trap now. Security awareness training needs to include this type of OAuth attack .

SQ Magazine follows strict Publishing Principles and a documented Fact-Check Policy to ensure accuracy, transparency, and editorial independence across all content.

Add SQ Magazine as a Preferred Source on Google for updates! Follow on Google News
Sofia Ramirez

Sofia Ramirez

Senior Tech Writer

Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps readers stay informed and secure in today’s fast-changing tech landscape. Passionate about making cybersecurity accessible, Sofia blends research-driven analysis with straightforward explanations; so whether you’re a tech professional or a curious reader, her work ensures you’re always one step ahead in the digital world.

Related Posts

Disclaimer: The content published on SQ Magazine is for informational and educational purposes only. Please verify details independently before making any important decisions based on our content.

Reader Interactions

Leave a Comment

Company
Discover
Categories
Internet
Gaming
Technology
Artificial Intelligence
Cybersecurity
Categories
Internet
Gaming
Technology
Artificial Intelligence
Cybersecurity