Microsoft Entra device code phishing and vishing campaign
Campaign
Summary
Hide ▲
Show ▼
A device code phishing campaign is targeting Microsoft 365 identities through the OAuth 2.0 device authorization flow, letting attackers steal valid access tokens after victims enter codes on Microsoft’s trusted verification page. A new Proofpoint advisory says multiple threat clusters, including TA2723 and UNK_AcademicFlare, used this technique to gain unauthorized access, enable account takeover and data theft, and scale abuse with QR codes, embedded buttons, hyperlinks, fake shared documents, and localized sites. Proofpoint said the activity was increasingly observed by September 2025, with one campaign on December 8 using a fake shared document titled “Salary Bonus + Employer Benefit Reports 25.” The report also tied the expansion to tools such as SquarePhish2 and Graphish, and said organizations should strengthen OAuth controls and train users not to enter device codes from untrusted sources.
Related Happenings
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
Campaign
H score37
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
CampaignAbout this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
Meta For Business Facebook Messenger fake-verification phishing campaign
Campaign
H score29
First: 07.07.2026 10:00
Last: 07.07.2026 10:00
Sources 1
About this happening:
A **phishing campaign** abused **Facebook Messenger chatbots** and fake verification lures to steal **Meta For Business** credentials and sensitive identity data, creating account...
Meta For Business Facebook Messenger fake-verification phishing campaign
CampaignAbout this happening: A **phishing campaign** abused **Facebook Messenger chatbots** and fake verification lures to steal **Meta For Business** credentials and sensitive identity data, creating account...
Microsoft Azure CLI password-spray campaign using ROPC
Campaign
H score24
First: 01.07.2026 08:46
Last: 01.07.2026 08:46
Sources 1
About this happening:
A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Microsoft Azure CLI password-spray campaign using ROPC
CampaignAbout this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
FortiBleed Fortinet credential-theft campaign
Campaign
H score89
First: 19.06.2026 13:48
Last: 19.06.2026 13:48
Sources 1
About this happening:
The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...
FortiBleed Fortinet credential-theft campaign
CampaignAbout this happening: The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...
Latest development: 22.06.2026 11:30
The UK’s National Cyber Security Centre issued guidance for Fortinet customers impacted by FortiBleed after the campaign exposed around 75,000 credentials from FortiGate firewall and SSL VPN customers. The NCSC urged affected organizations to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools and then review indicators of compromise such as unauthorized account creation and unexpected activity in log files.
Meta AI-powered support tools abused in Instagram account recovery flow
Security Tool/Service
H score26
First: 02.06.2026 18:47
Last: 02.06.2026 18:47
Sources 1
About this happening:
**Instagram accounts** were hijacked after attackers abused **Meta’s AI-powered support tools** to pass recovery checks and change the recovery email, creating a direct failure in...
Meta AI-powered support tools abused in Instagram account recovery flow
Security Tool/ServiceAbout this happening: **Instagram accounts** were hijacked after attackers abused **Meta’s AI-powered support tools** to pass recovery checks and change the recovery email, creating a direct failure in...
Timeline
-
19.02.2026 14:30 5 articles · 4mo ago
Microsoft Entra device code phishing and vishing campaign
Initial DisclosureThreat actors are targeting technology, manufacturing, and financial organizations with device code phishing and voice phishing (vishing) that abuse the OAuth 2.0 Device Authorization flow to obtain valid authentication tokens for Microsoft Entra accounts. The workflow uses legitimate Microsoft OAuth client IDs and the microsoft.com/devicelogin page to persuade employees to enter a generated user_code, which can then be exchanged for access tokens that reach Microsoft 365 and other SSO-linked SaaS applications without another MFA prompt. KnowBe4 Threat Labs also identified a related campaign using phishing emails and websites, with fake payment configuration prompts, document-sharing alerts, and bogus voicemail notifications, first spotted in December 2025; Microsoft Threat Intelligence Center had previously warned in February 2025 about device code phishing against Microsoft 365 accounts.
Show sources
- Hackers target Microsoft Entra accounts in device code vishing attacks — www.bleepingcomputer.com — 19.02.2026 14:30
- Hackers target Microsoft Entra accounts in device code vishing attacks — www.bleepingcomputer.com — 19.02.2026 14:30
- Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication — thehackernews.com — 03.03.2026 13:10
- Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse — thehackernews.com — 25.03.2026 13:34
- OAuth Device Code Phishing Campaigns Surge Targets Microsoft 365 — www.infosecurity-magazine.com — 18.12.2025 18:00