Threat actors are using a legitimate Microsoft login feature to bypass traditional email security controls.
Security researchers have observed an increase in phishing campaigns that exploit Microsoft’s OAuth device authorization flow to gain access to Microsoft 365 accounts. According to Cyber Security News, attackers trick users into entering device codes on Microsoft’s legitimate verification page, which then grants attackers access tokens tied to the victim’s account. The method became more widespread by September 2025 after earlier use in smaller targeted attacks.
The OAuth device authorization flow is intended for devices with limited input capabilities, such as smart TVs or conference room systems. Attackers abuse this design by sending phishing messages that display device codes disguised as one-time passwords or security checks. Victims are directed to microsoft.com/devicelogin, which is a real Microsoft site, increasing trust in the process. Once authentication is completed, the attacker-controlled application polls Microsoft’s servers and receives an access token that allows mailbox access, file retrieval, and lateral movement within cloud environments. Researchers identified multiple toolkits supporting this activity, including SquarePhish2, which automates device code generation, and Graphish, which combines Azure app registrations with reverse proxy infrastructure to capture session tokens after multi-factor authentication.
Analysts reported that financially motivated group TA2723 began using this technique in October 2025, distributing emails that referenced salary or benefits documents. Researchers also linked similar campaigns to state-aligned actors who used compromised government email accounts and cloud-hosted redirection pages to build trust. Analysts warned that because the login step occurs on Microsoft infrastructure, traditional phishing detection tools often fail to flag the activity, and access can persist until tokens expire or accounts are manually secured.
Microsoft says abuse of legitimate identity features like OAuth device codes reflects a broader shift in how cloud accounts are compromised. In its 2025 Digital Defense Report, the company warns that “app consent phishing tricks users into granting malicious apps OAuth permissions, bypassing MFA and persisting beyond password resets,” allowing attackers to maintain access even after credentials are changed. Microsoft also notes that attackers increasingly chain identity techniques together, rather than relying on a single phishing step.
The report explains that Microsoft has observed “layered attacks that combine device code phishing and OAuth consent phishing, sometimes redirecting users to AiTM sites,” with compromised identities later reused for “internal phishing and lateral movement.” Because these attacks rely on real Microsoft authentication flows instead of fake login pages or malware, they are harder for both users and security tools to distinguish from normal activity, giving attackers more time to move quietly across Microsoft 365 environments.
The authentication occurs on a legitimate Microsoft login page, which reduces the effectiveness of link analysis and domain-based filtering.
Not always. Users complete multi-factor authentication themselves, which authorizes the attacker’s application and grants access tokens.
They can read emails, access files, impersonate users, and move laterally across Microsoft 365 services.
Yes. Conditional Access policies can restrict or disable device code authentication or limit it to approved users and locations.
Users should treat any unsolicited request to enter a device code as suspicious and avoid authentication prompts initiated outside known workflows.