Threat actors are increasingly targeting Microsoft 365 accounts using a phishing technique that abuses the OAuth device code authorization flow, tricking users into authorizing malicious applications via legitimate Microsoft login pages. Instead of stealing passwords or bypassing multi-factor authentication, attackers get users to enter device codes that grant persistent access tokens and account permissions.
Proofpoint reports this campaign has grown significantly, including both financially motivated groups and state-aligned actors targeting sensitive sectors. The attacks use phishing kits like SquarePhish and Graphish and are notable for their volume and sophistication.
What This Means
Even organizations using MFA are vulnerable: attackers gain persistent access to Microsoft 365 accounts by tricking users into granting OAuth permissions rather than capturing passwords. Compromised accounts can be used for email monitoring, data exfiltration, lateral movement, and further phishing campaigns. These attacks are particularly difficult to detect because they occur on legitimate Microsoft login domains — making vigilance and user awareness critical defensive layers.
What To Do Next
- Educate users on OAuth phishing: Train staff not to authorize applications or enter device codes unless they initiated the process and can independently verify the request.
- Audit third-party app permissions: Regularly review and revoke unauthorized or unknown application permissions in your Microsoft 365 tenant.
- Enforce Conditional Access policies: Configure sign-in origin restrictions to limit where and how OAuth permissions can be granted.
- Monitor for anomalies: Use your SIEM or identity platform to detect unusual sign-ins and consent grants, and revoke suspicious OAuth tokens immediately.