Phishing Attacks Exploiting OAuth Device Code Authorization for Microsoft 365 Account Takeover
Threat actors are increasingly leveraging OAuth 2.0 device code authorization flows to compromise Microsoft 365 accounts through sophisticated phishing campaigns. Proofpoint researchers have observed both state-aligned and financially motivated groups using social engineering tactics to trick users into granting access to malicious applications, resulting in account takeovers, data exfiltration, and broader SaaS supply chain abuse. Attackers initiate these campaigns with phishing messages containing URLs or QR codes that, when followed, prompt users to authorize access for rogue applications, ultimately handing over OAuth tokens to the adversaries.
Industry analysis highlights that identity-first intrusions, including device code flow phishing and illicit OAuth consent, have driven significant data breaches and business email compromise incidents in 2025. Notable cases include the exploitation of connected apps to exfiltrate data from Salesforce tenants and major financial impacts on organizations such as Marks & Spencer. Security experts recommend enforcing phishing-resistant MFA, governing OAuth consent, and deprecating device code flows where feasible to mitigate these risks. Regulatory changes are also pushing organizations to strengthen identity and SaaS governance in response to these evolving threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Tycoon 2FA operators launch Microsoft 365 device code phishing campaign
In late April 2026, eSentire observed Tycoon 2FA operators repurpose their phishing-as-a-service kit to conduct OAuth device code phishing against Microsoft 365 users. The campaign used Trustifi tracking links and Cloudflare Workers redirects to drive victims to Microsoft's legitimate device login flow, issuing attacker-controlled OAuth tokens instead of stealing passwords directly.
Microsoft and Europol disrupt Tycoon 2FA infrastructure
In March 2026, Microsoft and Europol led a takedown targeting Tycoon 2FA infrastructure. Later reporting indicated the operators preserved their codebase and were able to restore operations quickly despite the disruption.
Device code phishing activity surges in 2026
Reporting in 2026 described a major increase in device code phishing attacks. Attackers were using the technique to steal access tokens and bypass standard access controls, making phishing operations more effective.
Proofpoint publishes findings on widespread Microsoft 365 device code phishing
Proofpoint publicly reported that multiple state-aligned and financially motivated threat clusters were abusing the OAuth 2.0 device authorization grant to compromise Microsoft 365 accounts. The report highlighted tooling such as SquarePhish, SquarePhish2, and Graphish, and recommended restricting or blocking device code flow with Conditional Access and compliant-device requirements.
TA2723 adopts device code phishing with salary and document lures
In October 2025, financially motivated actor TA2723 began using device code phishing in campaigns themed around shared documents and salary-related files. Proofpoint assessed the actor likely used different tooling across campaign waves to scale the attacks.
Proofpoint observes broad surge in device code phishing activity
By September 2025, Proofpoint observed unusually widespread phishing campaigns abusing Microsoft's OAuth device code flow across multiple threat clusters. The campaigns targeted Microsoft 365 users and enabled account takeover, data theft, lateral movement, and persistence while bypassing MFA through legitimate Microsoft verification pages.
UNK_AcademicFlare starts rapport-based device code phishing campaign
By September 2025, the Russia-aligned cluster UNK_AcademicFlare was conducting device code phishing campaigns against targets in government, think tanks, higher education, and transportation in the U.S. and Europe. The group used compromised government and military email accounts plus Cloudflare Worker links spoofing OneDrive to lure victims into authorizing attacker access.
State-aligned actors begin using Microsoft device code phishing
Proofpoint tracks state-aligned use of OAuth 2.0 device authorization grant phishing against Microsoft 365 accounts beginning in January 2025. The activity included Russia-aligned operators using the legitimate Microsoft device login flow to obtain access tokens and take over accounts.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
17 references tracked. Mallory keeps watching after this page renders.
Hackers Abuse OAuth Device Authorization Flow to Steal Microsoft 365 Tokens
cybersecuritynews.com
Open sourceTycoon 2FA Operators Adopt OAuth Device Code Phishing to Bypass MFA - Cyber Security News
cybersecuritynews.com
Open sourceTycoon 2FA Operators Adopt OAuth Device Code Phishing | eSentire
esentire.com
Open sourceDevice Code Phishing is an Evolution in Identity Takeover | Proofpoint US
proofpoint.com
Open sourceMicrosoft 365 users targeted in device code phishing attacks - Help Net Security
helpnetsecurity.com
Open source[DEEP RESEARCH] Zero-Days Are a Distraction: 2025’s Biggest Losses Were Stolen Tokens + OAuth
blog.alphahunt.io
Open sourceAccess granted: phishing with device code authorization for account takeover | Proofpoint US
proofpoint.com
Open sourceAnalysing the rise in device code phishing attacks in 2026 - Infosec.Pub
infosec.pub
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OAuth Device Code and Malicious App Abuse to Gain Persistent Access in Microsoft Entra ID/Microsoft 365
Threat actors are increasingly abusing **OAuth** in *Microsoft Entra ID* and *Microsoft 365* to obtain **access/refresh tokens** that provide durable access even when passwords are reset and MFA is enabled. Reported activity includes both (1) **malicious OAuth app** registrations and deceptive consent prompts that masquerade as legitimate “business integrations,” and (2) abuse of the **OAuth 2.0 Device Authorization Grant** (device code flow) where victims authenticate on Microsoft’s legitimate device login portal, making the intrusion harder to detect with credential-focused controls. Multiple reports describe campaigns targeting business users and organizations (including technology, manufacturing, and financial sectors) to access resources such as **Outlook, Teams, and OneDrive** and to enable mailbox actions and data access under seemingly legitimate application activity. Research and incident reporting highlight that attackers can persist via **service principals** created in victim tenants after consent is granted, and that some integrations may remain effective even if the consenting user is later disabled; separate reporting also describes **device-code vishing/phishing** that leverages legitimate Microsoft OAuth client IDs and standard login workflows to capture tokens without attacker-hosted phishing pages, with one source attributing the vishing activity to **ShinyHunters** (unconfirmed by Microsoft at the time of reporting).
Mar 21, 2026
OAuth Phishing and Malicious Application Abuse in Microsoft 365 Environments
Attackers are increasingly leveraging Microsoft Copilot Studio to facilitate OAuth phishing attacks by exploiting its ability to host customizable agents and redirect users to arbitrary URLs. Security researchers have demonstrated that Copilot Studio agents, which appear as legitimate Microsoft services, can be configured with a 'Login' button that redirects unsuspecting users to malicious OAuth consent pages. This technique increases the credibility of phishing attempts, as the initial interaction occurs on a trusted Microsoft domain, making it more likely for users to grant permissions to malicious applications. Once a user consents, attackers can exfiltrate OAuth tokens, granting them persistent access to sensitive data and services within the victim's Microsoft 365 environment. The flexibility of Copilot Studio, while beneficial for legitimate automation, also provides attackers with a powerful tool to craft convincing phishing lures and automate token exfiltration. Security experts emphasize the importance of reviewing and tightening Entra ID application consent policies, especially in light of recent and upcoming policy updates from Microsoft. Despite improvements in consent policy enforcement, risks remain, particularly when users with elevated privileges, such as Application Administrators, are able to grant broad permissions. In parallel, security researchers have highlighted the prevalence of hidden malicious OAuth applications within Microsoft 365 tenants. Open-source tools like Cazadora have been developed to help administrators audit their environments for suspicious applications, such as those with anomalous names or reply URLs. Common indicators of malicious OAuth apps include names mimicking user accounts, generic test names, or non-alphanumeric strings, as well as reply URLs pointing to local loopback addresses. The discovery of even a single suspicious app often signals a broader compromise, underscoring the need for comprehensive audits. Security teams are urged to regularly inspect both Enterprise Applications and Application Registrations for signs of abuse. The combination of sophisticated phishing techniques using Copilot Studio and the widespread presence of malicious OAuth apps represents a significant threat to Microsoft 365 environments. Proactive monitoring, user education, and strict consent policies are critical to mitigating these risks. Organizations should remain vigilant for new attack vectors that exploit trusted cloud services. The evolving landscape of OAuth-based attacks requires continuous adaptation of security controls and incident response strategies. Collaboration between security researchers and cloud service providers is essential to stay ahead of emerging threats. The integration of automation and AI-driven services like Copilot Studio into enterprise environments necessitates a reevaluation of traditional security assumptions. As attackers continue to innovate, defenders must leverage both technical controls and threat intelligence to protect their organizations.
Mar 21, 2026
Tycoon2FA Adds OAuth Device-Code Phishing for Microsoft 365 Accounts
The **Tycoon2FA** phishing-as-a-service platform has resurfaced after a law enforcement disruption and is now using **OAuth 2.0 device authorization grant** abuse to compromise **Microsoft 365** accounts protected by multifactor authentication. According to eSentire, the campaign begins with lure emails carrying **Trustifi** click-tracking URLs and guides victims through a multi-stage redirection chain, including a fake Microsoft CAPTCHA page, before directing them to Microsoft’s legitimate device login portal at `microsoft.com/devicelogin`. Rather than exploiting a software flaw or directly bypassing MFA, the operation relies on social engineering to convince users to enter a device code and approve token issuance for an attacker-controlled device, giving the threat actor OAuth tokens for account access. Researchers said the kit retains much of the four-layer in-browser delivery chain seen in earlier Tycoon2FA variants while adding anti-analysis measures to hinder researchers and scanners; recommended defenses include disabling device-code flow where it is not needed, tightening OAuth consent controls, and increasing monitoring of Microsoft Entra logs.
May 27, 2026