A worrying development has emerged in phishing that no longer directly targets passwords, but now hijacks the trusted authentication mechanisms of Microsoft 365. By leveraging the OAuth device code authorization flow, cybercriminal groups and state actors gain full access to business accounts. This method, made credible by the use of authentic Microsoft elements, constitutes a discreet, industrial threat and difficult to detect.
Social engineering has always been the most effective gateway to circumventing technical defenses. It is now evolving towards a much more subtle exploitation of the security processes themselves. Proofpoint documents a rapid progression of Microsoft 365 compromises achieved through the abuse of the device code OAuth flow, a mechanism formalized by Microsoft to simplify certain authentications. The attackers guide their victims to an authentic Microsoft login page, resulting from a normal authentication process, but used in a roundabout way. This deception removes almost all suspicion and shifts risk to human decision-making.
This study is based on analyzes carried out by Proofpoint’s Threat Research teams, who observed an acceleration in the use of this technique over the course of the year. Several groups have been identified, including TA2723 with a financial vocation and UNK_AcademicFlare often linked to Russian interests. What they have in common is industrialization, supported by kits like SquarePhish2 and Graphish, which automate the generation of campaigns, the distribution of codes and the monitoring of compromises obtained. The technical barrier drops, the capacity to scale increases, and technically validated but deceptively obtained access becomes an almost ready-to-use service.
From legitimate authentication flow to intrusion vector
Table of Contents
The heart of the threat does not lie in a software vulnerability, but in the trust placed in OAuth processes. The device code was originally a convenient method for authenticating terminals without a keyboard or traditional interface. Attackers exploit this by sending the user an email or QR Code leading them to a perfectly authentic Microsoft page, where they enter a provided code in good faith. This action validates the attacker’s access without any password being explicitly requested. The illusion of security is total since the user interacts with an official page, in a familiar environment, and often persuaded to strengthen the protection of their account.
Proofpoint emphasizes that this credibility constitutes the main strength of this approach. Victims think they are running an additional security check or MFA check when they are actually granting full authorization to a session controlled by the attacker. Once validated, access relies on OAuth tokens to remain active and bypass certain subsequent controls. The direct consequence is the full opening of a Microsoft 365 account, with all the data, collaborative capabilities and sometimes associated administrative rights.
Structured and now massified campaigns
The actors observed by Proofpoint do not carry out isolated opportunistic actions. The campaigns follow an industrial logic with prepared infrastructures, automation kits and proven social engineering scenarios. The SquarePhish2 and Graphish tools play a decisive role here. They orchestrate the distribution of emails, the dynamic generation of codes, the management of links and the exploitation of open sessions. This professionalization of device code phishing greatly reduces the cost of entry for less sophisticated groups while increasing the capacity for simultaneous attacks.
This massification modifies the defensive equation. Where companies, administrations and service providers had built protection policies focused on detecting URL traps, false forms and spoofing attempts, they now find themselves faced with a scenario where everything appears legitimate. Microsoft infrastructures are not falsified, the pages are not counterfeited and the validation comes directly from the user. Phishing is moving towards a behavioral dimension that is more difficult to counter solely with technical filters.
Complete and persistent Microsoft 365 access
A successful compromise opens up a very wide functional scope to the attacker. Access to emails is often the first step, allowing you to map the environment, identify sensitive exchanges, intercept financial conversations and prepare for internal fraud. Collaborative access to OneDrive, SharePoint and Teams then facilitates the identification of critical data and the preparation of lateral movements. In some cases, access can lead to lasting compromise, through the integration of malicious OAuth applications or the creation of invisible rules in messaging.
The business impacts become immediately tangible. Confidential data can be exfiltrated without apparent warning. Internal financial validation chains can be manipulated. Technical accounts may be approached to widen the compromise. Proofpoint explicitly discusses the risk of persistent compromise and extended control, which places this method well beyond simple password theft. This is a legitimate takeover of digital identity with direct operational consequences.
A threat that questions MFA governance and pedagogy
Proofpoint researchers believe that the abuse of OAuth flows will continue to increase as modern FIDO-compliant MFA becomes more widespread. This projection raises a strategic question for security managers. For years, organizations have relied on MFA as a decisive barrier against compromise. However, this new mechanism circumvents the usual logic by using precisely this chain of trust. The problem no longer lies solely in the technical robustness of MFA, but in the way users perceive and validate the authentication steps.
This development reminds us of a truth that cybersecurity sometimes tries to forget. A technology only protects if behaviors remain aligned with the security purpose. Each new layer also introduces new blind spots. When the user is faced with an authentic Microsoft page and an apparently compliant procedure, the cognitive arbitration naturally shifts towards acceptance. MFA governance must therefore evolve towards additional controls, stricter application approval policies and increased vigilance on the OAuth authorizations granted.
An inevitable revision of defense priorities
Businesses, administrations and service providers are now faced with a threat that directly exploits their digital trust repository. The answer cannot just come through a new layer of filtering. It requires a review of authorization policies, enhanced monitoring of OAuth applications, regular auditing of active tokens and precise user awareness of device codes and QR Codes for authentication. Prevention relies as much on the clarity of instructions as on technical controls.
In the short term, this type of attack forces IT departments to reassess their priorities. Identity protection is becoming a critical function, just like data and infrastructure protection. Solutions capable of analyzing authentication behavior, identifying usage deviations and automatically blocking suspicious authorizations are taking on new importance. The threat described by Proofpoint finally reminds us that trust should never be implicit. A truly effective Zero Trust architecture assumes that even the security processes themselves can be called into question.
