SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Office worker phishing qr code lock icon cloud account attack
#
EduTech
#
MFA
#
Cloud Security

Proofpoint warns of surge in Microsoft device code phishing

Thu, 8th Jan 2026
Author image
By Sean Mitchell, Publisher

Cyber security firm Proofpoint has reported a marked increase in Microsoft 365 account takeovers through the abuse of Microsoft's OAuth device code authorisation flow, in a pattern now seen across both financially motivated criminals and state-aligned groups.

The technique exploits a legitimate Microsoft login process that is widely used for connecting devices and applications. Attackers convince users to enter a one-time device code on Microsoft's genuine login portal. Once the code is entered and validated, threat actors gain access tokens that allow full access to the victim's Microsoft 365 account.

Shift in phishing

Researchers describe the activity as part of a wider move away from traditional password theft. Attackers focus instead on hijacking trusted authentication flows that sit behind the login page and often bypass multi-factor authentication controls.

Proofpoint said it has observed multiple distinct threat clusters adopting device code phishing at scale. These include criminal group TA2723 and a suspected Russia-aligned espionage actor the company tracks as UNK_AcademicFlare. The firm has also linked the technique to other Russia-aligned and suspected China-aligned operations.

Campaigns usually begin with an email that contains a URL embedded behind a button, within hyperlinked text or in a QR code. The link sends the user into Microsoft's device authorisation process. The user then receives a device code, either displayed directly on the landing page or in a follow-up email controlled by the attacker, and is instructed to enter it on Microsoft's device login site.

Messages often frame the activity as a security step, such as token re-authorisation, or as part of routine account management. Other lures refer to shared documents or human resources content, such as a fictitious file labelled "Salary Bonus + Employer Benefit Reports 25".

Tool-driven scale

The rise in activity coincides with broader use of specialist phishing tools that automate the abuse of device codes and OAuth authentication.

SquarePhish is one such tool. Dell SecureWorks first published it in 2022, and an updated version, SquarePhish2, appeared on GitHub in 2024 from an independent researcher. The tool targets the OAuth Device Grant Authorisation flow and often incorporates QR codes that lead to attacker-controlled infrastructure.

In a typical SquarePhish2 campaign, a victim receives a phishing email containing a QR code. Scanning the code sends the user to a site hosted on a SquarePhish2 server, which then redirects them to Microsoft's real authentication page. Behind the scenes, the server initiates the device authorisation flow with a preconfigured client ID.

A second email, apparently from a Microsoft tenant, then delivers the device code. The user is urged to complete the process by entering that code. SquarePhish2 can also redirect the victim automatically to Microsoft's verification page, removing the need for a second email step. Once the code is entered and the user authenticates, the tool polls Microsoft's endpoint and retrieves access tokens.

Proofpoint said the configuration process for SquarePhish2 is relatively straightforward and that automation features reduce the need for deep technical knowledge among operators. The objective remains account takeover and subsequent actions such as data theft, persistence in cloud environments and lateral movement across services.

Another tool, Graphish, has also gained traction among criminals. The phishing kit circulates on vetted hacking forums and is available without charge. It supports the creation of deceptive Microsoft-themed login pages using Azure App Registrations and reverse-proxy based adversary-in-the-middle attacks.

Attackers using Graphish register their own domains and SSL certificates. They then connect these to a reverse proxy that sits between the victim and the genuine Microsoft service. When users enter credentials and complete multi-factor authentication challenges, the proxy captures session cookies and allows complete session hijacking.

Graphish also enables OAuth-based phishing. Attackers register applications in Azure, extract client IDs and prompt users to grant those applications access to their Microsoft accounts. Guidance within the tool outlines methods for verifying malicious apps with Azure to bypass organisational controls.

State-aligned activity

Proofpoint has linked device code phishing to several espionage-focused actors since early 2025. The company said state-aligned operators often invest more effort in pretext building than criminal groups.

Some campaigns begin with benign outreach from compromised email accounts within government, military, higher education or think tank organisations. These messages build rapport around the target's expertise, sometimes over multiple exchanges, and then introduce a supposed meeting invitation or interview.

In attacks attributed to UNK_AcademicFlare, the actor used compromised government and military email addresses in the US and Europe. Messages claimed to share documents via a OneDrive link. The link pointed instead to a Cloudflare Worker URL that spoofed a OneDrive account and then led the victim into the device code phishing workflow.

Proofpoint said the group has used this approach since at least September 2025 and has focused on government, think tank, higher education and transportation targets across Western countries.

Defensive steps

The company recommends that organisations review how Microsoft's device code flow operates within their environments and adjust access policies. It describes blocking the device code flow through Conditional Access settings as the strongest mitigation in many cases. Security teams can apply the changes first in report-only mode and assess their impact using historic sign-in data.

If a full block is not practical, Proofpoint suggests an allow-list approach that restricts device code usage to specific users, operating systems or IP ranges, such as named locations. Organisations that use device registration systems or Intune can also require that sign-ins originate only from compliant or registered devices as a defence in depth measure.

The firm also highlights the limits of traditional phishing awareness training, which often focuses on checking URLs. In device code phishing, the victim interacts with Microsoft's legitimate portal at microsoft.com/devicelogin. Proofpoint said user education should now include clear guidance that device codes received via unsolicited messages or from unknown sources should not be entered on that site.

"Proofpoint assesses that the abuse of OAuth authentication flows will continue to grow with the adoption of FIDO compliant MFA controls," said Proofpoint Threat Research.
Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Ping Identity names Adnan Chaudhry Chief Revenue Officer
Exabeam launches AI agent behaviour analytics tools
Security now central to business decisions, says report
Kyowon, Instagram cases expose APAC identity flaws
Automation vital as TLS certificate lifespans shrink

Top stories

Black Hat to debut cyber war room documentary in Vegas
2026: Resilience, the new foundation of cybersecurity
AI’s 2026 security fallout: identity chaos & deepfake fear
ADLINK gains IEC 62443-4-1 nod for secure edge R&D
Agentic AI double agents expose dangerous security gaps