- Proofpoint reports increase in phishing abusing Microsoft OAuth 2.0 device code flow
- Victims enter codes on real Microsoft domains, granting access tokens to attackers
- Proofpoint advises blocking device code streams
Cybercriminals, including state-sponsored threat actors, are increasingly abusing Microsoft’s OAuth 2.0 device passcode authentication flow to take over Microsoft 365 accounts.
That’s according to a new report from cybersecurity researchers Proofpoint. In a new paper published on December 18, researchers confirm that there has been a sharp escalation in social engineering attacks since September 2025, in which victims are tricked into granting access to their accounts.
The attack usually begins with a phishing email containing either a link or a QR code. Victims are then informed that to view the content, they must re-authenticate their account by entering a device code on the Microsoft login page.
Russians, Chinese and others
Once they enter the code, bad actors receive an access token tied to their account, not only giving them access, but also enabling email monitoring, lateral movement, and more.
The connection takes place over a real Microsoft domain, Proofpoint further explains, meaning that traditional phishing defenses and user awareness controls are mostly useless. Attackers don’t actually steal passwords or MFA codes, so no alarms are raised there either.
Proofpoint reports that several groups are currently abusing this technique, including TA2723 (a financially motivated threat actor), UNK_AcademicFlare (a Russian state-sponsored threat actor targeting government and military email accounts for cyber espionage), and several Chinese groups.
It has also been reported that criminals use different phishing frameworks, such as SquarePhish 2 and Graphish, which automate device code abuse, support QR codes, and integrate with Azure application records. This lowers the barriers to entry and allows even low-skilled bad actors to engage in attacks.
Proofpoint believes that abuse of OAuth and device code authentication is likely to grow, particularly as organizations adopt passwordless and FIDO-based authentication, and recommends blocking device code flows through Conditional Access where possible.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
