CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

OAuth Device Code Phishing Campaigns Target Microsoft 365 Accounts

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges. Threat actors are now targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating. This provides attackers with valid authentication tokens that can be used to access the victim's account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes.

Timeline

  1. 19.02.2026 14:30 1 articles · 10h ago

    ShinyHunters Extortion Gang Targets Microsoft Entra Accounts

    Threat actors are targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating. This provides attackers with valid authentication tokens that can be used to access the victim's account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes. A source told BleepingComputer they believed the ShinyHunters extortion gang was behind the new device code vishing attacks, which the threat actors later confirmed. ShinyHunters was recently linked to vishing attacks used to breach Okta and Microsoft Entra SSO accounts for data theft attacks.

    Show sources
    Open in new tab
  2. 18.12.2025 18:00 4 articles · 2mo ago

    OAuth Device Code Phishing Campaigns Surge Targeting Microsoft 365

    A surge in phishing campaigns abusing Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Multi-Stage AitM Phishing and BEC Campaigns Target Energy Sector

Microsoft has identified a multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) campaign targeting organizations in the energy sector. The attackers abused SharePoint file-sharing services to deliver phishing payloads and created inbox rules to maintain persistence and evade detection. The campaign involved leveraging compromised internal identities to conduct large-scale phishing attacks within and outside the victim organizations. Additionally, the AgreeTo Outlook add-in was hijacked and turned into a phishing kit, stealing over 4,000 Microsoft account credentials. The threat actor deployed a fake Microsoft sign-in page, password collection page, exfiltration script, and redirect, exploiting the add-in's ReadWriteItem permissions. This is the first known instance of malware found on the official Microsoft Marketplace. The add-in was abandoned by its developer and the attacker exploited the abandoned domain to serve the phishing kit. The incident highlights the need for better monitoring of add-ins and their associated URLs.

Open in new tab

Vishing Attacks Target Okta SSO Accounts for Data Theft

Threat actors are using vishing attacks to steal Okta SSO credentials, bypassing MFA and gaining access to enterprise cloud services. The attacks involve real-time manipulation of phishing pages and social engineering to trick employees into revealing their credentials and MFA codes. Once access is gained, attackers exfiltrate data from integrated platforms like Salesforce and demand extortion payments. The phishing kits used in these attacks are sold as a service and are actively employed by multiple hacking groups targeting identity providers and cryptocurrency platforms. Okta recommends using phishing-resistant MFA methods to mitigate these threats. Attackers use Telegram channels to receive stolen credentials and adapt their campaign based on the MFA or authentication solution the target is using. Phishing kits allow attackers to generate fake MFA notifications to bypass MFA protections.

Open in new tab

Attackers Optimize Traditional TTPs with AI in 2025

In 2025, attackers continued to leverage traditional techniques such as supply chain attacks and phishing, but with increased efficiency and scale due to AI advancements. The Shai Hulud NPM campaign demonstrated how a single compromised package can affect thousands of downstream projects. AI has lowered the barrier to entry for cybercriminals, enabling lean teams or even individuals to execute sophisticated attacks. Phishing remains effective, with one click potentially compromising large-scale systems. Malicious Chrome extensions bypassing official stores highlight the ongoing challenge of automated reviews and human moderators keeping pace with attacker sophistication.

Open in new tab

Misconfigured Email Routing Exploited for Internal Domain Phishing

Threat actors are exploiting misconfigured email routing and spoof protections to impersonate organizations' domains and distribute phishing emails that appear to originate internally. This tactic has surged since May 2025, targeting various industries with phishing-as-a-service (PhaaS) platforms like Typhoon2FA. Successful attacks can lead to credential theft and business email compromise (BEC). The issue arises when complex routing scenarios are configured without strict spoof protections, allowing spoofed emails to bypass security measures. Microsoft blocked over 13 million malicious emails linked to the Typhoon2FA kit in October 2025. Organizations are advised to enforce strict DMARC and SPF policies, properly configure third-party connectors, and ensure MX records point directly to Office 365 to mitigate this risk.

Open in new tab

Sha1-Hulud Supply Chain Attack Results in $8.5 Million Trust Wallet Chrome Extension Hack

On December 24, 2025, users of the Trust Wallet Chrome extension reported significant cryptocurrency losses after a compromised update (version 2.68.0) was released. The update contained malicious code that exfiltrated sensitive wallet data to an external server. Trust Wallet confirmed the security incident and released a patched version (2.69). Losses are estimated to exceed $8.5 million, with ongoing investigations into the incident. The malicious code iterated through all wallets stored in the extension and triggered a mnemonic phrase request for each wallet. The encrypted mnemonic was decrypted using the password or passkey entered during wallet unlock and sent to the attacker's server. The stolen funds include about $3 million in Bitcoin, $431 in Solana, and more than $3 million in Ethereum. The incident has claimed hundreds of victims, and Trust Wallet is actively finalizing the process to refund the impacted users. The stolen funds have been moved through centralized exchanges and cross-chain bridges for laundering and swapping. The backdoor incident originated from malicious source code modification within the internal Trust Wallet extension codebase. The attacker directly tampered with the application's own code and leveraged the legitimate PostHog analytics library as the data-exfiltration channel. There is a possibility that the incident is the work of a nation-state actor, and Changpeng Zhao hinted that the exploit was most likely carried out by an insider. Trust Wallet confirmed that approximately 2,596 wallets were drained in the attack and received around 5,000 claims, indicating a significant number of false or duplicate submissions. Trust Wallet has launched a dedicated claim form for affected users and warned about ongoing phishing campaigns.

Open in new tab