State actors are abusing OAuth device codes to get full M365 account access - here's what we know

Researchers spotted multiple groups using the same technique

News By Sead Fadilpašić published 19 December 2025

(Image credit: Shutterstock) Share Share by:

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google

• Proofpoint reports phishing surge abusing Microsoft OAuth 2.0 device code flow
• Victims enter codes on real Microsoft domains, granting attackers access tokens
• Proofpoint advises blocking device code flows

Cybercriminals, including state-sponsored threat actors, are increasingly abusing Microsoft’s OAuth 2.0 device code authentication flow to take over Microsoft 365 accounts.

This is according to a new report by cybersecurity researchers Proofpoint. In a new paper published on December 18, researchers confirm that have seen a sharp escalation of social engineering attacks since September 2025, in which victims are tricked into granting access to their accounts.

The attack usually starts with a phishing email containing either a link or QR code. Victims are then told that in order to view the contents, they need to reauthenticate their account by entering a device code into Microsoft’s login page.

Russians, Chinese, and others

Once they enter the code, the threat actors receive an access token tied to their account, not only giving them access, but enabling email monitoring, lateral movement, and more.

The login happens on a real Microsoft domain, Proofpoint further explains, which means that traditional phishing defenses and user awareness checks are mostly useless. The attackers aren’t actually stealing passwords, or MFA codes, so no alarms are triggered there, either.

Proofpoint says there are multiple groups currently abusing this technique, including TA2723 (a financially motivated threat actor), UNK_AcademicFlare (a Russian state-sponsored threat actor targeting government and military email accounts for cyber-espionage purposes), and multiple groups from China.

It was also said that the criminals are using different phishing frameworks, such as SquarePhish 2 and Graphish, which automates device code abuse, supports QR codes, and integrates with Azure app registrations. This lowers the barrier to entry and allows even low-skilled threat actors to engage in attacks.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors