- Proofpoint reports increase in phishing exploits in Microsoft OAuth 2.0 device code flow
- Victims insert code into real Microsoft domains, providing attackers with access tokens
- Proofpoint recommends blocking device code streams
Cybercriminals, including state-sponsored threat actors, are increasingly abusing Microsoft’s OAuth 2.0 device password authentication flow to take control of Microsoft 365 accounts.
This is evident from a new report by cybersecurity researcher Proofpoint. In one new article Published on December 18, researchers confirm that there has been a sharp escalation in social engineering attacks since September 2025, where victims are tricked into granting access to their accounts.
The attack usually starts with a phishing email containing a link or a QR code. Victims are then informed that in order to view the content, they must re-verify their account by entering a device code on Microsoft’s login page.
Russians, Chinese and others
After entering the code, attackers receive an access token tied to their account, which not only grants them access but also allows email monitoring, lateral movement, and more.
The connection takes place on a real Microsoft domain, Proofpoint explains, meaning traditional phishing defenses and user awareness checks are largely useless. In fact, attackers do not steal passwords or MFA codes, so no alarm is raised.
Proofpoint reports that several groups are currently abusing this technique, including TA2723 (a financially motivated threat actor), UNK_AcademicFlare (a Russian state-sponsored threat actor that targets government and military email accounts for cyber espionage), and several Chinese groups.
It has also been reported that criminals are using various phishing frameworks such as SquarePhish 2 and Graphish, which automate device code exploitation, support QR codes, and integrate with Azure application registries.
