Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Microsoft 365 device-code phishing defenses for OAuth token abuse

Defensive Guidance
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

Defenders are tightening Microsoft 365 protections against device code phishing and vishing, a technique that can hand attackers valid OAuth tokens for Microsoft Entra accounts. The guidance focuses on blocking malicious infrastructure, revoking suspicious app consents, and watching for device code authentication events before token reuse can spread across connected services.

Related Happenings

EvilTokens Microsoft 365 consent phishing campaign

Campaign
First: 19.05.2026 14:30 Last: 19.05.2026 14:30 Sources 1

About this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...

Open Happening

Microsoft AiTM payroll pirate attack mitigation

Advisory/Mitigation
First: 10.04.2026 14:56 Last: 10.04.2026 14:56 Sources 1

About this happening: **Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...

Open Happening

Forest Blizzard DNS hijacking token-theft campaign against older routers

Campaign
First: 07.04.2026 20:02 Last: 07.04.2026 20:02 Sources 1

About this happening: Russia-backed **Forest Blizzard** is running a **DNS hijacking campaign** against older routers to steal **Microsoft Office** authentication tokens, putting accounts at risk acros...

Open Happening

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

Microsoft Azure Monitor callback phishing campaign

Campaign
First: 21.03.2026 16:09 Last: 21.03.2026 16:09 Sources 1

About this happening: A **callback phishing campaign** is abusing **Microsoft Azure Monitor** alerts to send fake billing warnings through legitimate Microsoft mail flow, making the messages more belie...

Open Happening

Timeline

  1. 19.02.2026 14:30 2 articles · 3mo ago

    Microsoft 365 defenses against device code phishing

    Mitigation Patch Update

    KnowBe4 Threat Labs guidance focuses on hardening Microsoft 365 against device code phishing and vishing that abuse the OAuth 2.0 Device Authorization flow to obtain valid authentication tokens for Microsoft Entra accounts. Recommended controls include blocking malicious domains and sender addresses, auditing and revoking suspicious OAuth app consents, reviewing Azure AD sign-in logs for device code authentication events, turning off the device code flow option when it is not required, and enforcing conditional access policies; the same reporting context notes a campaign first spotted in December 2025 and a Microsoft Threat Intelligence Center warning from February 2025 about device code phishing.

    Show sources
    Open in new tab