Cybercriminals and state-sponsored hackers are increasingly exploiting Microsoft’s legitimate OAuth 2.0 device authorization process to hijack enterprise accounts, bypassing multifactor authentication protections and gaining persistent access to sensitive organizational data, a report said.
Researchers at Proofpoint tracked multiple threat clusters — both financially motivated and state-aligned — that were using device code phishing techniques to trick users into granting unauthorized access to their Microsoft 365 accounts. The campaigns have surged since September 2025, representing a significant shift from limited, targeted attacks to widespread exploitation.
“While this is not necessarily a novel technique, it is notable to see it used increasingly by multiple threat clusters,” the Proofpoint Threat Research Team wrote in a blog post.
The tactic represents an evolution of techniques that financially motivated groups used earlier this year to breach Salesforce environments at Google, Qantas, and luxury brands through similar OAuth abuse, affecting hundreds of organizations. Those Salesforce attacks, which began in June 2025, used voice phishing. The current wave drops the phone calls for email-based social engineering, making attacks easier to scale.
A legitimate process turned malicious
The attacks abuse OAuth’s device authorization flow, which was designed for authenticating on input-constrained devices like smart TVs and IoT devices. Threat actors, according to the blog post, initiate the legitimate Microsoft device authorization process, then trick victims into entering the generated device code — disguised as a one-time password — at Microsoft’s own verification URL.
“The lures typically claim that the device code is an OTP and direct the user to input the code at Microsoft’s verification URL,” the researchers wrote. “Once the user inputs the code, the original token is validated, giving the threat actor access to the targeted M365 account.”
Successful attacks enable account takeover, data exfiltration, lateral movement within networks, and establishment of persistent access to corporate resources. In some cases, stolen data becomes the basis for extortion attempts, as ShinyHunters demonstrated in its Salesforce campaigns.
Tools of the trade
What’s driving the surge is the availability of tools that make these attacks easy to execute. Proofpoint identified two primary kits: SquarePhish2 and Graphish.
SquarePhish2 is an updated version of a tool originally published by Dell Secureworks in 2022. It automates the OAuth Device Grant Authorization flow and integrates QR code functionality.
The Graphish phishing kit, shared on vetted criminal hacking forums, enables the creation of convincing phishing pages leveraging Azure App Registrations and adversary-in-the-middle attack capabilities. “The tool is designed to be user-friendly and does not require advanced technical expertise, lowering the barrier for entry and enabling even low-skilled threat actors to conduct sophisticated phishing campaigns,” the Proofpoint researchers wrote in the blog.
These tools help attackers overcome a key limitation: device codes are typically short-lived. The automation enables larger-scale campaigns than were previously possible.
State actors join cybercriminals
Since January 2025, Proofpoint has tracked multiple state-aligned threat actors abusing OAuth device code authorization for account takeover, representing a concerning evolution in espionage tradecraft.
“This technique has been most widely used by Russia-aligned threat actors,” the researchers noted, citing prior reporting by security firm Volexity. Proofpoint also observed suspected China-aligned activity and other unattributed espionage campaigns.
One group, Proofpoint tracks as UNK_AcademicFlare, has been conducting device code phishing since at least September 2025. The suspected Russia-aligned actor uses compromised email addresses from government and military organizations to target entities in government, think tanks, higher education, and transportation sectors across the US and Europe.
UNK_AcademicFlare typically conducts patient rapport building via benign outreach before launching device code phishing attempts. The group uses compromised accounts to arrange fictitious meetings or interviews, then shares malicious links to Cloudflare Worker URLs spoofing OneDrive accounts.
Volexity researchers documented similar tactics in recent campaigns where Russian actors created fake websites masquerading as legitimate European security conferences to trick attendees into granting OAuth access.
Widespread campaigns target financial lures
Financially motivated threat actors have also embraced device code phishing. Proofpoint highlighted activity from TA2723, a high-volume credential phishing actor known for campaigns spoofing Microsoft OneDrive, LinkedIn, and DocuSign.
Beginning in October 2025, TA2723 launched campaigns using salary and benefits-themed lures. One campaign used email messages purporting to contain documents titled “OCTOBER_SALARY_AMENDED” and “Salary Bonus + Employer Benefits Reports 25.”
The messages directed recipients to URLs that ultimately led to device code authorization pages where victims were tricked into generating and entering one-time passcodes. Proofpoint researchers suspect TA2723 used both SquarePhish2 and Graphish tools across different campaign waves.
The 2025 ShinyHunters campaign demonstrated the potential damage. In a separate but related OAuth abuse incident, threat actors exploited OAuth tokens stolen from the Salesloft/Drift integration to access Salesforce instances at hundreds of organizations. Companies, including Cloudflare, Zscaler, and Tenable, publicly disclosed unauthorized access to data, triggering breach notification requirements.
Proofpoint recommended organizations create Conditional Access policies to block device code flow entirely or implement allow-lists for approved users and IP ranges. “Traditional phishing awareness often emphasizes checking URLs for legitimacy. This approach does not effectively address device code phishing, where users are prompted to enter a device code on the trusted Microsoft portal,” the researchers wrote.
Microsoft did not respond to a request for comment on the findings.