Microsoft 365 device-code phishing defenses for OAuth token abuse
Defensive Guidance
Summary
Hide ▲
Show ▼
Defenders are tightening Microsoft 365 protections against device code phishing and vishing, a technique that can hand attackers valid OAuth tokens for Microsoft Entra accounts. The guidance focuses on blocking malicious infrastructure, revoking suspicious app consents, and watching for device code authentication events before token reuse can spread across connected services.
Related Happenings
Microsoft Azure CLI password-spray campaign using ROPC
Campaign
H score24
First: 01.07.2026 08:46
Last: 01.07.2026 08:46
Sources 1
About this happening:
A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Microsoft Azure CLI password-spray campaign using ROPC
CampaignAbout this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
EvilTokens Microsoft 365 consent phishing campaign
Campaign
H score39
First: 19.05.2026 14:30
Last: 19.05.2026 14:30
Sources 1
About this happening:
The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
EvilTokens Microsoft 365 consent phishing campaign
CampaignAbout this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
Microsoft AiTM payroll pirate attack mitigation
Advisory/Mitigation
H score34
First: 10.04.2026 14:56
Last: 10.04.2026 14:56
Sources 1
About this happening:
**Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...
Microsoft AiTM payroll pirate attack mitigation
Advisory/MitigationAbout this happening: **Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...
Forest Blizzard DNS hijacking token-theft campaign against older routers
Campaign
H score35
First: 07.04.2026 20:02
Last: 07.04.2026 20:02
Sources 1
About this happening:
Russia-backed **Forest Blizzard** is running a **DNS hijacking campaign** against older routers to steal **Microsoft Office** authentication tokens, putting accounts at risk acros...
Forest Blizzard DNS hijacking token-theft campaign against older routers
CampaignAbout this happening: Russia-backed **Forest Blizzard** is running a **DNS hijacking campaign** against older routers to steal **Microsoft Office** authentication tokens, putting accounts at risk acros...
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
H score43
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
Timeline
-
19.02.2026 14:30 2 articles · 4mo ago
Microsoft 365 defenses against device code phishing
Mitigation Patch UpdateKnowBe4 Threat Labs guidance focuses on hardening Microsoft 365 against device code phishing and vishing that abuse the OAuth 2.0 Device Authorization flow to obtain valid authentication tokens for Microsoft Entra accounts. Recommended controls include blocking malicious domains and sender addresses, auditing and revoking suspicious OAuth app consents, reviewing Azure AD sign-in logs for device code authentication events, turning off the device code flow option when it is not required, and enforcing conditional access policies; the same reporting context notes a campaign first spotted in December 2025 and a Microsoft Threat Intelligence Center warning from February 2025 about device code phishing.
Show sources
- Hackers target Microsoft Entra accounts in device code vishing attacks — www.bleepingcomputer.com — 19.02.2026 14:30
- Hackers target Microsoft Entra accounts in device code vishing attacks — www.bleepingcomputer.com — 19.02.2026 14:30