According to Infosecurity Magazine, a major surge in phishing campaigns abusing Microsoft’s OAuth device code authorization flow is underway, targeting Microsoft 365 accounts. Proofpoint’s new advisory details that both state-aligned and financially motivated actors are using the technique, with a sharp increase observed by September 2025. The attacks often use QR codes, embedded buttons, or hyperlinks in emails claiming to involve document sharing or security verification. One specific campaign on December 8 used a fake document titled “Salary Bonus + Employer Benefit Reports 25” to lure victims. The growth is linked to readily available tools like the SquarePhish2 framework and the free Graphish phishing kit, which lower the technical barrier for attackers. Once a victim enters a provided code on Microsoft’s trusted login page, the attacker gains a valid access token and full control of the compromised account.
How the device code trick works
Here’s the thing: this isn’t some exotic zero-day. It’s abusing a totally legitimate feature—the OAuth 2.0 device authorization grant—meant for signing into apps on stuff like smart TVs or gaming consoles. The attacker’s app generates a device code and a URL (like the real Microsoft login page). They send that code to you, maybe embedded in a QR code on a fake “OneDrive” document share. You, thinking you’re doing the right thing, go to the *real* Microsoft page, enter the code, and hit approve. But you’re not approving your login. You’re granting *their* malicious app permissions to your entire M365 account. It’s a brutal, effective trick because it bypasses the password entirely and can even circumvent some multi-factor authentication prompts. The user is essentially handing over the keys.
Why this is exploding now
So why the sharp spike? Basically, the tools got easy. Proofpoint points to SquarePhish2 and Graphish—kits that automate the whole grimy process. We’re not talking about nation-state level coding skills here anymore. These are user-friendly frameworks that let a wider range of criminals run these ops. And the lures are classic social engineering: fake salary documents, “urgent” reauthorization requests, security verification prompts. It preys on routine workplace behavior. Now, when you combine accessible tooling with a high-success-rate technique that targets a ubiquitous platform like M365, you’ve got a perfect storm for attackers. It’s a commodity attack now.
Who’s behind it and what’s next
Proofpoint ties this to both financial and state-aligned groups. A financially motivated actor tracked as TA2723 jumped in by October 2025. And they spotted Russia-linked groups, like one dubbed UNK_AcademicFlare, targeting government and academic sectors. This aligns with a broader shift toward “passwordless phishing” as more companies adopt stronger FIDO-compliant MFA. If you can’t steal a password easily, you trick the user into granting OAuth tokens directly. It’s an adaptation to our defenses. The advisory’s warning is stark: this abuse will keep growing. For organizations relying on robust industrial computing systems, ensuring secure authentication protocols is paramount, which is why specialists like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs, emphasize hardened security configurations in their deployments.
What can you actually do?
Training is the first, frustrating line of defense. Users must be screamed at: “Do not enter device codes from unsolicited emails or messages!” But let’s be real, that’s a tough ask. More technically, admins need to lock down OAuth app consent policies in their Azure/M365 tenants. Restrict users from consenting to third-party apps, especially those requesting high-level permissions. Audit and review granted OAuth applications regularly and revoke anything suspicious. The core challenge? This attack exploits a trusted user action on a trusted Microsoft page. That’s a hard combination to beat. It means the burden is shifting even more to administrative controls and away from hoping users will spot the fake. The cat-and-mouse game continues, but this mouse just found a very big piece of cheese.
