Microsoft 365 Accounts Hijacked Through OAuth Device Code

• Attack Vector: Abuse of the OAuth 2.0 device authorization flow, a legitimate protocol for devices with limited input capabilities, according to a report from Proofpoint.
• Threat Actor Adoption: A financially motivated group, tracked as TA2723, began leveraging this technique in October, while a suspected state-aligned actor, UNK_AcademicFlare, has targeted government and academic sectors.
• Enabling Tools: Campaigns are powered by accessible adversary-in-the-middle (AitM) tools like Graphish and SquarePhish2, which automate the creation of convincing phishing lures on legitimate domains.

This technique represents a significant evolution in phishing, as it circumvents the security protections of many MFA implementations. The core of the attack relies on social engineering a user to complete the final authorization step on the attacker’s behalf. Because the user is directed to the legitimate Microsoft device login page to enter the code, traditional phishing indicators like spoofed domains are absent, increasing the attack’s success rate.

The widespread availability of purpose-built tools commoditizes this attack, allowing lower-skilled cybercriminals to execute sophisticated campaigns that previously required deep technical expertise. According to Proofpoint, While this is not necessarily a novel technique, it is notable to see it used increasingly by a tracked cybercriminal threat actor.

The attack exploits a legitimate feature, not a software vulnerability within the OAuth 2.0 protocol or Microsoft 365. The protocol is functioning as designed, and the attack’s success is entirely contingent on deceiving the end-user. Organizations with mature security controls, such as those already using stringent Conditional Access policies to restrict or block device code flows from untrusted locations or devices, are not vulnerable. The risk is concentrated in environments with permissive default identity and access management configurations.

The primary indicators to monitor are changes in Microsoft’s default security posture regarding device authorization flows and the rate of enterprise adoption for mitigating controls. Security teams should monitor the impact of enabling Conditional Access policies in report-only mode before full enforcement, as recommended by Microsoft.

Furthermore, the evolution of phishing lures used by groups like TA2723 will be a key indicator of the tactic’s longevity; a shift from generic financial themes to more targeted, sector-specific pretexts would signal broader adoption by more advanced threat actors. The market for malicious applications enabling these campaigns on hacking forums, as noted in the Proofpoint analysis, also warrants observation.