Multiple threat actors are actively compromising Microsoft 365 accounts using phishing attacks that abuse Microsoft’s OAuth device code authorization mechanism, according to new research from email security firm Proofpoint.
Victims are tricked into entering a device code on Microsoft’s legitimate device login page, unknowingly granting access to their Microsoft 365 account via an attacker-controlled application. This way, the attacker doesn’t need to steal credentials or bypass multi-factor authentication (MFA).
The technique itself is not new, however, Proofpoint researchers have observed an increase in such activity since September. The attacks involve both financially motivated cybercriminal groups, such as TA2723, and state-backed threat actors.
All observed attacks rely on social engineering to trick victims into entering a device code on Microsoft’s official device login portals. In some cases, the code is framed as a one-time password, while other lures present it as a routine token re-authorization request.
Proofpoint identified two main phishing kits used in the campaigns called SquarePhish and Graphish. The former is a publicly available red-teaming tool that abuses OAuth device authorization flows, often using QR codes and mimicking legitimate Microsoft MFA setups. Graphish, shared on underground forums, supports OAuth abuse, Azure App Registrations, and adversary-in-the-middle (AiTM) attacks.
Observed campaigns include salary bonus-themed phishing emails using document-sharing lures and localized company branding. Victims are directed to attacker-controlled websites and instructed to complete “secure authentication” by entering a device code, which ultimately authorizes malicious applications.
TA2723, a group previously known for spoofing Microsoft OneDrive, LinkedIn, and DocuSign, began using OAuth device code phishing in October. Proofpoint believes early attacks relied on SquarePhish, with later waves potentially shifting to Graphish.
Proofpoint also tracked state-supported activity since September 2025, attributing it to a suspected Russia-aligned actor dubbed UNK_AcademicFlare. The group reportedly uses compromised government and military email accounts to establish trust before sending OneDrive-themed phishing links. The activity mainly targets government, academic, think tank, and transportation sectors in the US and Europe.
To mitigate the risk, organizations are recommended to enable Microsoft Entra Conditional Access where possible and implement stricter policies around sign-in origins to detect and block suspicious authorization attempts.