Find notable cyber news and cases, enriched with sources, timelines, and signals.

Microsoft Entra device code phishing and vishing campaign

Campaign
First reported
Last updated
Happening score
H score 40
3 unique sources, 4 articles

Summary

Hide ▲

A device code phishing campaign is targeting Microsoft 365 identities through the OAuth 2.0 device authorization flow, letting attackers steal valid access tokens after victims enter codes on Microsoft’s trusted verification page. A new Proofpoint advisory says multiple threat clusters, including TA2723 and UNK_AcademicFlare, used this technique to gain unauthorized access, enable account takeover and data theft, and scale abuse with QR codes, embedded buttons, hyperlinks, fake shared documents, and localized sites. Proofpoint said the activity was increasingly observed by September 2025, with one campaign on December 8 using a fake shared document titled “Salary Bonus + Employer Benefit Reports 25.” The report also tied the expansion to tools such as SquarePhish2 and Graphish, and said organizations should strengthen OAuth controls and train users not to enter device codes from untrusted sources.

Related Happenings

O-UNC-066 / Pink Microsoft Entra passkey vishing campaign

Campaign
H score37 First: 08.07.2026 19:47 Last: 08.07.2026 19:47 Sources 1

About this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...

Meta For Business Facebook Messenger fake-verification phishing campaign

Campaign
H score29 First: 07.07.2026 10:00 Last: 07.07.2026 10:00 Sources 1

About this happening: A **phishing campaign** abused **Facebook Messenger chatbots** and fake verification lures to steal **Meta For Business** credentials and sensitive identity data, creating account...

Microsoft Azure CLI password-spray campaign using ROPC

Campaign
H score24 First: 01.07.2026 08:46 Last: 01.07.2026 08:46 Sources 1

About this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...

FortiBleed Fortinet credential-theft campaign

Campaign
H score89 First: 19.06.2026 13:48 Last: 19.06.2026 13:48 Sources 1

About this happening: The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...

Latest development: 22.06.2026 11:30

The UK’s National Cyber Security Centre issued guidance for Fortinet customers impacted by FortiBleed after the campaign exposed around 75,000 credentials from FortiGate firewall and SSL VPN customers. The NCSC urged affected organizations to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools and then review indicators of compromise such as unauthorized account creation and unexpected activity in log files.

Meta AI-powered support tools abused in Instagram account recovery flow

Security Tool/Service
H score26 First: 02.06.2026 18:47 Last: 02.06.2026 18:47 Sources 1

About this happening: **Instagram accounts** were hijacked after attackers abused **Meta’s AI-powered support tools** to pass recovery checks and change the recovery email, creating a direct failure in...

Timeline

  1. 19.02.2026 14:30 5 articles · 4mo ago

    Microsoft Entra device code phishing and vishing campaign

    Initial Disclosure

    Threat actors are targeting technology, manufacturing, and financial organizations with device code phishing and voice phishing (vishing) that abuse the OAuth 2.0 Device Authorization flow to obtain valid authentication tokens for Microsoft Entra accounts. The workflow uses legitimate Microsoft OAuth client IDs and the microsoft.com/devicelogin page to persuade employees to enter a generated user_code, which can then be exchanged for access tokens that reach Microsoft 365 and other SSO-linked SaaS applications without another MFA prompt. KnowBe4 Threat Labs also identified a related campaign using phishing emails and websites, with fake payment configuration prompts, document-sharing alerts, and bogus voicemail notifications, first spotted in December 2025; Microsoft Threat Intelligence Center had previously warned in February 2025 about device code phishing against Microsoft 365 accounts.

    Show sources