CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

OAuth Device Code Phishing Campaigns Target Microsoft 365 Accounts

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. Organizations are advised to strengthen OAuth controls and train users to avoid entering device codes from untrusted sources. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges.

Timeline

  1. 18.12.2025 18:00 3 articles · 2d ago

    OAuth Device Code Phishing Campaigns Surge Targeting Microsoft 365

    A surge in phishing campaigns abusing Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Phishing Campaign Targets Ad Manager Accounts via Fake Calendly Invites

A sophisticated phishing campaign impersonates top brands like Unilever, Disney, and MasterCard using fake Calendly invites to steal Google Workspace and Facebook Business account credentials. The campaign, discovered by Push Security, targets ad manager accounts to launch malvertising, AiTM phishing, and malware distribution campaigns. Access to these accounts allows threat actors to execute geo-targeted attacks and potentially resell compromised accounts for monetization. The phishing emails, crafted using AI tools, impersonate legitimate recruiters and direct victims to fake Calendly landing pages with CAPTCHA and AiTM phishing pages. The campaign employs anti-analysis mechanisms and Browser-in-the-Browser (BitB) attacks to enhance its effectiveness. Push Security identified 31 unique URLs and additional variants targeting both Google and Facebook credentials. Simultaneously, a malvertising campaign targets Google Ads Manager accounts through malicious sponsored ads.

Open in new tab

Active Spyware Campaigns Targeting High-Value Signal and WhatsApp Users

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning of active spyware campaigns targeting high-value Signal and WhatsApp users. These campaigns leverage sophisticated social engineering and zero-click exploits to compromise mobile devices and exfiltrate sensitive data. The targets include government officials, military personnel, political figures, and civil society organizations across the U.S., Middle East, and Europe. A new campaign, dubbed GhostPairing, abuses the legitimate device-linking feature to hijack WhatsApp accounts via pairing codes. This campaign was first spotted in Czechia but has the potential to spread to other regions. The attack involves tricking victims into linking an attacker's browser to their WhatsApp device, granting the attacker full access to the account without requiring any authentication.

Open in new tab

Phishing campaign targets finance executives with fake LinkedIn board invites

A phishing campaign is targeting finance executives via LinkedIn, using fake board invitations to steal Microsoft credentials. The attack begins with a LinkedIn message containing a malicious link. The campaign uses multiple redirects, including a Google open redirect and a custom landing page hosted on Firebase. The final stage involves a fake Microsoft login page designed to capture credentials and session cookies. The campaign was detected by Push Security, which observed an increase in phishing attempts through online services like LinkedIn. This is the second such campaign targeting executives on LinkedIn in the past six weeks.

Open in new tab

New CoPhish technique exploits Microsoft Copilot for OAuth phishing

A new phishing technique called 'CoPhish' leverages Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests. The technique exploits the legitimate and trusted Microsoft domains to trick users into granting permissions to malicious applications. The CoPhish technique was developed by researchers at Datadog Security Labs, who highlighted the risks associated with the flexibility of Copilot Studio. Microsoft has acknowledged the issue and plans to address it in a future update. The attack targets users, including administrators, by embedding malicious applications within Copilot Studio agents. Once activated, these agents can be distributed via email or messaging platforms, making it difficult for users to distinguish between legitimate and malicious requests. Users can protect against CoPhish attacks by limiting administrative privileges, reducing application permissions, enforcing governance policies, implementing a strong application consent policy, disabling user application creation defaults, and closely monitoring application consent via Entra ID and Copilot Studio agent creation events.

Open in new tab

Microsoft reports surge in AI-driven cyber threats and defenses

Microsoft's Digital Defense Report 2025 highlights a dramatic escalation in AI-driven cyber attacks. Microsoft systems analyze over 100 trillion security signals daily, indicating the growing sophistication and volume of cyber threats. Adversaries are leveraging generative AI to automate phishing, scale social engineering, and discover vulnerabilities faster than humans can patch them. Autonomous malware adapts tactics in real-time to bypass security systems, and AI tools themselves are becoming high-value targets. Microsoft's AI-powered defenses have reduced response times from hours to seconds, but defenders must remain vigilant as AI increases the speed and impact of cyber operations. Identity compromise remains a dominant attack vector, with phishing and social engineering accounting for 28% of breaches. Multi-factor authentication (MFA) prevents over 99% of unauthorized access attempts, but adoption rates are uneven. The rise of infostealers has fueled credential-based intrusions. The United States accounted for 24.8% of all observed attacks between January and June 2025, followed by the United Kingdom, Israel, and Germany. Government agencies, IT providers, and research institutions were among the most frequently targeted sectors. Ransomware remains a primary threat, with over 40% of recent cases involving hybrid cloud components.

Open in new tab