Phishing is no longer just about fake login pages and stolen passwords. According to new research from Proofpoint, threat actors are increasingly abusing a legitimate Microsoft authentication feature – OAuth device code authorization – to gain full access to Microsoft 365 accounts. The technique is subtle, highly effective, and difficult for users to spot, even when multi-factor authentication (MFA) is enabled.
The findings, published by Proofpoint Threat Research, signal a worrying shift: attackers are no longer trying to break security controls, they are persuading users to approve access themselves.
What Is Device Code Phishing – and Why It Works
As detailed in Proofpoint’s analysis, device code phishing exploits the OAuth 2.0 device authorization grant flow, a mechanism designed to let users sign in on devices with limited input capabilities, such as smart TVs or IoT devices.
In a typical attack, victims receive an email or message containing a link, button, or QR code. The lure often claims to be a shared document, salary update, or security notification. When clicked, the user is guided through what appears to be a legitimate Microsoft login process and is instructed to enter a short “one-time code” at Microsoft’s official device login page.
What the user doesn’t realize is that by entering that code, they are authorizing a malicious application controlled by the attacker. No password theft. No fake login page. Just a legitimate Microsoft flow – abused.
Once authorized, attackers gain access to the victim’s Microsoft 365 account, enabling account takeover, data exfiltration, persistence, and lateral movement.
From Targeted Abuse to Widespread Campaigns
Proofpoint notes that while device code phishing has been observed before in limited attacks and red-team activity, September 2025 marked a turning point. Multiple threat clusters – both financially motivated and state-aligned – began using the technique at scale.
Among the actors tracked is TA2723, a high-volume cybercriminal group known for spoofing Microsoft OneDrive, LinkedIn, and DocuSign. By October 2025, TA2723 had integrated device code phishing into its campaigns, using convincing document-sharing and salary-themed lures to trick victims into granting access.
At the same time, state-aligned threat actors, particularly Russia-aligned groups, have adopted the same approach. Proofpoint tracks one such actor, UNK_AcademicFlare, which has targeted government, military, academic, energy, and transportation organizations using compromised email accounts and long-running social engineering conversations before delivering device code phishing links.
Tools Lowering the Barrier for Attackers
A key reason for the rapid spread of this technique is the availability of easy-to-use phishing tools.
- SquarePhish2 automates OAuth device code phishing using QR codes and Microsoft’s legitimate authentication pages. It requires minimal technical expertise and can scale attacks efficiently.
- Graphish, a phishing kit shared on vetted hacking forums, combines OAuth abuse with adversary-in-the-middle (AiTM) techniques, Azure app registrations, and reverse proxies to hijack sessions even after MFA approval.
These tools significantly lower the barrier to entry, allowing even low-skilled actors to conduct high-impact, enterprise-grade phishing attacks.
Why This Matters Globally – and for MEA Organizations
This threat is global by design. Any organization using Microsoft 365 – from startups to governments – is a potential target.
For Middle East and Africa (MEA) organizations, the risk is especially acute. Rapid cloud adoption, increased reliance on Microsoft services, and uneven user awareness programs make many enterprises vulnerable to OAuth abuse and social engineering-driven attacks. Government agencies, financial institutions, energy companies, and universities across the region are particularly attractive targets.
Security leaders across MEA are increasingly turning to partners like Saintynet Cybersecurity to assess identity security posture, OAuth exposure, and phishing resilience.
10 Recommended Actions for Security Teams
- Block device code authentication where possible using Conditional Access policies.
- Deploy Conditional Access in report-only mode first to understand business impact before enforcement.
- Restrict device code flow to approved users, IP ranges, or named locations if full blocking isn’t feasible.
- Require compliant or Intune-joined devices for Microsoft 365 sign-ins.
- Audit Azure App Registrations and remove unused or suspicious OAuth applications.
- Monitor sign-in logs for device code authentication events and unusual OAuth grants.
- Harden email security controls to detect QR-code and OAuth-themed phishing lures.
- Train users specifically on device code phishing, not just traditional fake-login phishing.
- Implement least-privilege access for Microsoft Graph permissions.
- Run phishing simulations and tabletop exercises focused on OAuth abuse scenarios.
For deeper technical coverage on identity threats and phishing evolution, readers can explore related analysis, including prior coverage of MFA bypass techniques and cloud identity abuse.
Conclusion
Device code phishing marks a dangerous evolution in the threat landscape. By abusing trusted authentication flows and relying on human behavior rather than technical exploits, attackers are achieving account takeover without stealing passwords or breaking MFA.
Proofpoint’s research makes one thing clear: identity is now the primary attack surface, and OAuth controls can no longer be treated as a secondary concern. Organizations that fail to adapt their defenses – technically and culturally – risk handing attackers the keys to their cloud environments.
In a world of passwordless authentication and seamless user experience, security teams must ensure that convenience does not become consent.
