The Trusted Trap: How Hackers Weaponize Microsoft’s Own Login Flows to Bypass MFA
Proofpoint is warning of a surge in phishing attacks in which attackers hijack corporate Microsoft 365 accounts not through fake login pages, but via a perfectly legitimate OAuth mechanism—device code authorization. Victims are persuaded to enter a “one-time code” on an authentic Microsoft site, inadvertently granting attackers an access token that enables account takeover, data exfiltration, and further lateral movement within the organization.
Researchers are tracking multiple clusters—ranging from financially motivated actors to state-linked groups—that employ varying forms of social engineering to coax users into “approving” application access via the OAuth 2.0 device authorization grant flow. The attack typically begins with an email in which the link is concealed behind a button, hyperlink, or QR code. Clicking it initiates a chain that leverages Microsoft’s official process: a device code is presented—either on the page itself or in a follow-up email from the attackers—and framed as an OTP for “enhanced verification” or “token reauthorization.” The victim is then directed to Microsoft’s trusted verification portal and asked to enter the code, at which point the original token is validated and control is handed to the attackers.
Proofpoint notes that while the technique itself is not new and has previously appeared in targeted attacks and limited red-team exercises, by September 2025 it had escalated into unusually large-scale campaigns. A key accelerant has been the emergence of tools and ready-made components that allow attackers to scale distribution despite the short lifespan of device codes. Among these, researchers highlight SquarePhish2—an evolution of SquarePhish first published in 2022 and later updated, with a revised version appearing on GitHub in 2024 via an independent researcher.
SquarePhish2 makes the attack resemble a familiar multi-factor authentication setup flow. An email containing a QR code leads to an attacker-controlled server, which then redirects the victim to a legitimate Microsoft login page while the server initiates the OAuth process using a preconfigured client ID. The device code may arrive in a second email from a Microsoft tenant, or the user may be automatically forwarded to the code entry page.
Another toolkit cited is Graphish, which circulated on private criminal forums and was distributed free of charge to “trusted” members. Designed for high-volume attacks against Microsoft accounts, it supports the creation of convincing phishing pages and adversary-in-the-middle scenarios via reverse proxies. Victims enter credentials, complete MFA, and the attacker captures the session. To increase credibility, the attacker needs a domain and SSL certificate, along with Azure app registration and a client ID to steer victims toward OAuth permissions. Proofpoint emphasizes that such kits dramatically lower the barrier to entry, enabling even low-skilled criminals to execute sophisticated attacks.
As an illustration, Proofpoint describes a campaign uncovered on December 8. Victims received a “reminder” email about a supposedly shared document titled “Salary Bonus + Employer Benefit Reports 25.” The link led to an attacker-controlled site localized by IP address and branded to match the target organization. After entering an email address, victims were shown a “secure authentication” prompt with a code and instructions to enter it on Microsoft’s device authorization page—an action that effectively granted the attacker access to Microsoft 365.
Researchers also detail TA2723, a financially motivated high-volume phisher known for spoofing OneDrive, LinkedIn, and DocuSign, which began using device codes in October 2025. In one wave on October 9–10, emails masqueraded as shared files personalized to recipients. Clicking the link initially led to an “OTP generation” page; the button then changed behavior, redirecting victims to Microsoft’s legitimate portal, where they unknowingly authorized an attacker-controlled application. Based on timing, tactical shifts, and Graphish’s appearance on private forums shortly before the second wave, Proofpoint suspects TA2723 campaigns may have leveraged SquarePhish2 and Graphish.
According to Proofpoint, state-linked actors have also adopted device code phishing since January 2025, aligning with the broader shift toward passwordless phishing. The technique has been most widely observed among groups with Russian alignment, with suspected China-linked activity and other unattributed espionage campaigns also noted. A prominent example is UNK_AcademicFlare, which Proofpoint has tracked since at least September 2025. In these campaigns, attackers used compromised email accounts from government and military organizations to build trust through seemingly benign correspondence, eventually steering targets toward a fictitious meeting or interview and then sending a link to a “document with questions.” The link pointed to a Cloudflare Worker URL impersonating OneDrive and launched a device code flow, instructing the victim to copy the code and continue on Microsoft’s login page.
In its recommendations, Proofpoint identifies blocking the device code flow via Conditional Access—using the Authentication Flows condition—as the most reliable mitigation, at least initially in report-only mode or through impact assessment using historical sign-in logs. Where full blocking is not feasible, an allow-list model is advised, with restrictions by user, operating system, IP range, or named locations.
Additional guidance includes requiring sign-ins only from managed or compliant devices (where device registration or Intune is in use) and revisiting user training. In these attacks, URL inspection offers little protection, since the code is entered on a legitimate Microsoft domain. The critical red flag is the request to input a device code obtained from an untrusted source. Proofpoint expects abuse of OAuth mechanisms to increase as FIDO-compatible MFA approaches become more widespread.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
