Threat groups steal identities to access Microsoft 365 accounts

A threat actor was observed using device code phishing to trick unsuspecting users into granting a cybercriminal access to their Microsoft 365 accounts.

In a Dec. 18 blog post, Proofpoint Threat Research explained that in device code phishing, an attacker will socially engineer someone into logging into an application with legitimate credentials. The app then generates a token that’s obtained by the threat actor, which gives them control over the Microsoft 365 account.

While it’s not a novel technique, the Proofpoint team pointed out that it’s notable to see it used increasingly by multiple threat clusters, including TA2723, a tracked financially motivated cybercriminal threat actor.

“Over the last few years, there has been an increasing focus by threat actors on identity, including account takeovers, which is the result of a successful attack using the OAuth device code phishing technique we’ve reported,” said Sarah Sabotka, a staff threat researcher at Proofpoint. “If a threat actor can successfully establish a foothold by compromising a legitimate user’s identity, the opportunities for upstream attacks are endless.”

Sabotka added that teams can mitigate against device code flow attacks by creating a “Conditional Access” policy using the “Authentication Flows” condition to block device code flow for all users, starting in report-only mode to assess impact. If full blocking isn’t feasible, Sabotka said organizations can allow device code authentication only for approved users, operating systems, or IP ranges, and require sign-ins from compliant or registered devices as an additional defense layer.

Related reading:

Kern Smith, senior vice president of global solutions engineering at Zimperium, said device code phishing shows how attackers are abusing legitimate identity workflows to bypass traditional security controls. By tricking users into approving access themselves, Smith said threat actors can take over cloud accounts without ever stealing credentials.

“What’s especially concerning is that many of these lures reach users on mobile devices through QR codes, SMS, and mobile email, where security visibility is often weaker,” said Smith. “Security teams need to closely monitor OAuth authorizations, limit device code flows, and extend protection to mobile endpoints to stop these attacks before users authorize access.”

Noelle Murata, senior security engineer at Xcape, Inc., added that Proofpoint’s phishing research highlights an emerging trend of identity theft: Because the user interacts with a legitimate Microsoft domain, traditional URL filters and experienced users are easily thwarted.

“Targeting Microsoft 365 accounts is particularly dangerous because a single compromised identity can unlock email, files, and collaboration tools,” said Murata. “Since the login appears legitimate, traditional phishing detection and strong authentication can be bypassed without raising red flags.”

Michael Bell, co-founder and CEO at Suzu Labs, said device code phishing represents a great danger because it turns the company’s own MFA implementation against the user.

“The user authenticates legitimately with their credentials and MFA, but the OAuth token they generate gets handed to the attacker instead of the application they think they're authorizing,” said Bell. “The timing of Proofpoint's findings is notable. They observed this technique shift from targeted operations to widespread campaigns by September 2025, which means both state-sponsored and financially motivated actors have industrialized this approach. When attack techniques make that jump from boutique to commodity, every organization becomes a potential target.”