Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Microsoft 365 OAuth device code phishing campaign

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The OAuth device code phishing wave against Microsoft 365 accounts is expanding, raising the risk of account takeover across multiple sectors. Attackers are abusing Microsoft's legitimate device login flow to authorize attacker-controlled apps, which can grant access without stealing credentials or bypassing MFA. The activity has been growing since September 2025 and includes both TA2723 and UNK_AcademicFlare. The target set spans government, academic, think tank, and transportation organizations in the U.S. and Europe.

Related Happenings

Kali365 Microsoft 365 device-code phishing campaign

Campaign
First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

Open Happening

Storm-2949 Microsoft 365 and Azure data-theft campaign

Campaign
First: 19.05.2026 22:35 Last: 19.05.2026 22:35 Sources 1

About this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...

Open Happening

EvilTokens Microsoft 365 consent phishing campaign

Campaign
First: 19.05.2026 14:30 Last: 19.05.2026 14:30 Sources 1

About this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...

Open Happening

Tycoon2FA device-code phishing campaign targeting Microsoft 365

Campaign
First: 17.05.2026 17:43 Last: 17.05.2026 17:43 Sources 1

About this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...

Open Happening

Code of conduct-themed Microsoft AiTM phishing campaign

Campaign
First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...

Open Happening

Timeline

  1. 19.12.2025 19:19 2 articles · 5mo ago

    Microsoft 365 OAuth device code phishing campaign

    Initial Disclosure

    The earliest visible phase used **document-sharing lures** and localized company branding to push victims into Microsoft's device-code login flow. Entering the code there authorized attacker access to the account.

    Show sources
    Open in new tab