By Zeljka Zorz
Publication Date: 2025-12-18 13:41:00
Attackers are targeting Microsoft 365 users with device code authorization phishing, a technique that fools users into approving access tokens, Proofpoint warns.
The method abuses Microsoft’s OAuth 2.0 device authorization grant flow by presenting users with device codes that, when entered, inadvertently grant attackers control of enterprise accounts.
This trend reflects a broader shift away from basic password theft toward abusing modern authentication flows to bypass multi-factor authentication protection.
The campaigns and the tools used by the attackers
The campaigns, perpetrated by both state-aligned and financially-motivated threat actors, usually start with an email, sent either from attacker-controlled or compromised email addresses,
The lure can be anything that push targets to click on a link or scan a QR code.
In two of the campaigns Proofpoint has spotted, the attackers chose to pique the recipient’s interested with salary-themed notifications. In…
