- Proofpoint reports phishing surge abusing Microsoft OAuth 2.0 device code flow
- Victims enter codes on real Microsoft domains, giving attackers access tokens
- Proofpoint recommends blocking entity code streams
Cybercriminals, including state-sponsored threat actors, are increasingly abusing Microsoft’s OAuth 2.0 device code authentication flow to take over Microsoft 365 accounts.
This is according to a new report from cyber security researchers Proofpoint. In a new paper published on December 18, researchers confirm that since September 2025, there has been a sharp escalation in social engineering attacks, where victims are tricked into giving access to their accounts.
The attack usually starts with a phishing email containing either a link or a QR code. Victims are then told that to view the content, they must re-authenticate their account by entering a device code on Microsoft’s login page.
Russians, Chinese and others
After entering the code, the threat actors receive an access token tied to their account, which not only gives them access, but also enables email monitoring, lateral movement, and more.
Login occurs on a real Microsoft domain, Proofpoint further explains, meaning that traditional phishing defenses and user awareness checks are mostly useless. The attackers don’t actually steal passwords or MFA codes, so no alarms are triggered either.
Proofpoint says there are several groups currently abusing this technique, including TA2723 (a financially motivated threat actor), UNK_AcademicFlare (a Russian state-sponsored threat actor targeting government and military email accounts for cyberespionage purposes), and several groups from China.
It was also said that the criminals are using various phishing frameworks, such as SquarePhish 2 and Graphish, which automate device code abuse, support QR codes and integrate with Azure app registrations. This lowers the barrier to entry and allows even low-skilled threat actors to engage in attacks.
Proofpoint believes that abuse of OAuth and device code authentication is likely to grow, especially as organizations adopt passwordless and FIDO-based authentication, and recommends blocking device code flows via Conditional Access where possible.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
