Microsoft 365 Accounts Targeted in Sophisticated OAuth Phishing Campaign
Dec 22, 2025
Overview
Multiple threat actors are actively compromising Microsoft 365 accounts using a sophisticated OAuth device code phishing campaign that tricks victims into granting malicious applications access through Microsoft’s legitimate login pages. Unlike traditional credential theft, this technique abuses Microsoft’s OAuth 2.0 authorization flows to bypass passwords and multi-factor authentication (MFA), allowing attackers to gain persistent access to corporate accounts.
Key Facts of the Incident
Category | Details |
|---|---|
Threat Type | OAuth device code phishing & account compromise |
Attack Mechanism | Victims tricked into entering device codes on authentic Microsoft login pages, granting malicious app access |
Threat Actors | Financial cybercriminals (e.g., TA2723), suspected state-aligned actors (e.g., UNK_AcademicFlare) |
Target | Microsoft 365 accounts across industries |
Tools Observed | Phishing kits — SquarePhish (v1 & v2) and Graphish |
Detection Difficulty | High — legitimate Microsoft flows with no stolen credentials |
Mitigation Advice | Conditional Access policies, sign-in origin restrictions, audit app permissions |
What Happened
According to a Proofpoint threat report, attackers have stepped up phishing campaigns since September 2025, leveraging Microsoft’s OAuth device code authentication to trick users into authorizing malicious applications.
Here’s how the attack works:
Victims receive a phishing email with a link, QR code, or re-authentication prompt.
They are directed to Microsoft’s real login or device authorization page.
When the user enters the provided device code, they inadvertently authorize an attacker-controlled app.
Once approved, the malicious app receives access tokens that grant persistent access to the victim’s Microsoft 365 account — without the need for passwords or MFA codes.
Attackers exploit the legitimacy of Microsoft’s own infrastructure, making detection and prevention challenging for traditional security tools.
Threat Actors & Campaign Variants
Proofpoint has observed multiple distinct campaigns using this technique:
Salary Bonus Lure Attacks
Emails posing as internal HR or document-sharing notifications entice users to complete a “secure authentication.”
Victims are instructed to enter device codes on the genuine Microsoft portal, authorizing the attacker’s application.
TA2723 High-Volume Campaigns
TA2723 — known for credential fishing on services like Microsoft OneDrive and LinkedIn — has incorporated OAuth device code phishing into its operations since October.
State-Aligned Activity
A suspected Russia-aligned actor tracked as UNK_AcademicFlare is using compromised email accounts to build trust before sending phishing links spoofing Microsoft services, primarily targeting government, academic, and transportation sectors.
Tools & Technical Details
Two primary phishing kits have been identified in these campaigns:
🔹 SquarePhish (v1 & v2)
Publicly available tools built for red-teaming, repurposed to automate OAuth device code phishing with deceptive QR codes and codes that mimic MFA workflows.
🔹 Graphish
A more advanced phishing kit seen in underground forums that supports OAuth abuse, Azure App registries, and adversary-in-the-middle (AiTM) attacks.
These tools significantly reduce the technical barrier for mounting large-scale OAuth phishing campaigns.
Immediate Impact & Risks
No Credential Theft Required: Because authentication occurs on Microsoft’s official login pages, attackers gain access without capturing user passwords or MFA codes.
Persistent Access: Access tokens issued to malicious apps can remain valid until revoked, enabling long-term account exploitation.
Bypasses Traditional Security: Email filters and legacy anti-phishing solutions struggle to detect this attack vector due to its reliance on legitimate Microsoft domains.
What Organizations Should Do
Security researchers recommend the following defenses:
1. Enforce Microsoft Entra Conditional Access
Implement policies that restrict OAuth device flow usage, require compliant devices, and tighten access controls to reduce the risk of unauthorized authorizations.
2. Limit Sign-In Origin
Block or control where OAuth flows can be initiated to reduce the attack surface for social engineering campaigns.
3. Audit App Permissions
Regularly review and revoke suspicious or unauthorized application consent grants within Microsoft 365 and Azure Active Directory.
4. User Awareness Training
Educate employees about this evolving attack technique — especially how OAuth device authorization phishing differs from traditional credential harvesters.
Why This Matters?
OAuth device code phishing represents a major shift in how attackers compromise accounts. By weaponizing built-in authorization flows rather than faking login pages, threat actors bypass many established defenses, making it harder for security teams to detect and prevent account takeover. Security leaders must treat OAuth abuse as a top risk vector and adapt strategies accordingly.
Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.
