Microsoft 365 Accounts Targeted by Device Code Phishing

Proofpoint researchers warn that this approach, previously primarily used in targeted red team activities, has been part of broader campaigns since September 2025. The security company calls it a significant shift in the threat landscape.

Device code disguised as a one-time password

Device code phishing often begins with a message containing a URL hidden in a button, hyperlink, or QR code. When a user follows the link, the authorization process for Microsoft devices begins. The user then receives a device code, presented as a one-time password (OTP). The instruction is to enter this code on Microsoft’s official verification page. Once this is done, the attacker validates the associated token and thus gains access to the account.

Phishing attacks are carried out in various ways. In some cases, attackers claim to require token reauthorization, while in others, they deploy false warnings about account security.

Various tools available

Both state-sponsored and financially motivated threat actors are using these attacks, including the well-known group TA2723. Malicious applications and tools are being sold on hacking forums that make it easier for attackers to scale up campaigns, such as SquarePhish, SquarePhishV2, and Graphish. These tools help bypass the limited validity period of device codes, making campaigns possible on a larger scale than ever before.

Successful device code phishing attacks lead to complete control of M365 accounts, posing risks such as data theft, lateral movement within networks, and persistent access. Proofpoint emphasizes the importance of stricter OAuth controls and increasing user awareness of these evolving threats. The company expects OAuth authentication abuse to continue to increase, particularly with the introduction of FIDO-compliant multi-factor authentication (MFA).