Microsoft Entra device code phishing and vishing campaign
Campaign
Summary
Hide ▲
Show ▼
A device code phishing campaign is targeting Microsoft 365 identities through the OAuth 2.0 device authorization flow, letting attackers steal valid access tokens after victims enter codes on Microsoft’s trusted verification page. A new Proofpoint advisory says multiple threat clusters, including TA2723 and UNK_AcademicFlare, used this technique to gain unauthorized access, enable account takeover and data theft, and scale abuse with QR codes, embedded buttons, hyperlinks, fake shared documents, and localized sites. Proofpoint said the activity was increasingly observed by September 2025, with one campaign on December 8 using a fake shared document titled “Salary Bonus + Employer Benefit Reports 25.” The report also tied the expansion to tools such as SquarePhish2 and Graphish, and said organizations should strengthen OAuth controls and train users not to enter device codes from untrusted sources.
Related Happenings
Kali365 Microsoft 365 device-code phishing campaign
Campaign
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Infostealer malware operation targeting online store users
Malware Activity
First: 21.05.2026 00:36
Last: 21.05.2026 00:36
Sources 1
About this happening:
A **malware operation** using **infostealer** tools infected users’ devices between **2024 and 2025**, stealing browser sessions and account credentials that enabled account theft...
Infostealer malware operation targeting online store users
Malware ActivityAbout this happening: A **malware operation** using **infostealer** tools infected users’ devices between **2024 and 2025**, stealing browser sessions and account credentials that enabled account theft...
Storm-2949 Microsoft 365 and Azure data-theft campaign
Campaign
First: 19.05.2026 22:35
Last: 19.05.2026 22:35
Sources 1
About this happening:
The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Storm-2949 Microsoft 365 and Azure data-theft campaign
CampaignAbout this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
EvilTokens Microsoft 365 consent phishing campaign
Campaign
First: 19.05.2026 14:30
Last: 19.05.2026 14:30
Sources 1
About this happening:
The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
EvilTokens Microsoft 365 consent phishing campaign
CampaignAbout this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Timeline
-
19.02.2026 14:30 5 articles · 3mo ago
Microsoft Entra device code phishing and vishing campaign
Initial DisclosureThreat actors are targeting technology, manufacturing, and financial organizations with device code phishing and voice phishing (vishing) that abuse the OAuth 2.0 Device Authorization flow to obtain valid authentication tokens for Microsoft Entra accounts. The workflow uses legitimate Microsoft OAuth client IDs and the microsoft.com/devicelogin page to persuade employees to enter a generated user_code, which can then be exchanged for access tokens that reach Microsoft 365 and other SSO-linked SaaS applications without another MFA prompt. KnowBe4 Threat Labs also identified a related campaign using phishing emails and websites, with fake payment configuration prompts, document-sharing alerts, and bogus voicemail notifications, first spotted in December 2025; Microsoft Threat Intelligence Center had previously warned in February 2025 about device code phishing against Microsoft 365 accounts.
Show sources
- Hackers target Microsoft Entra accounts in device code vishing attacks — www.bleepingcomputer.com — 19.02.2026 14:30
- Hackers target Microsoft Entra accounts in device code vishing attacks — www.bleepingcomputer.com — 19.02.2026 14:30
- Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication — thehackernews.com — 03.03.2026 13:10
- Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse — thehackernews.com — 25.03.2026 13:34
- OAuth Device Code Phishing Campaigns Surge Targets Microsoft 365 — www.infosecurity-magazine.com — 18.12.2025 18:00