Microsoft 365 Accounts Reportedly Breached After Hackers Exploit Legitimate Microsoft OAuth Feature

Cybersecurity firm Proofpoint has warned of a sharp rise in attacks targeting Microsoft 365 enterprise accounts by abusing a legitimate Microsoft authentication feature. The campaigns bypass multifactor authentication without stealing passwords or one-time codes, instead tricking users into approving access on their own devices. Researchers say the activity has increased significantly since September 2025 and involves both financially motivated cybercriminals and state-aligned threat actors. The attacks mark a broader shift in phishing tactics, where attackers exploit trusted authentication workflows rather than traditional credential theft.

How Hackers Bypassed MFA Using Microsoft's OAuth Device Code Flow

According to a Proofpoint blog post, attackers are misusing Microsoft's OAuth 2.0 device authorisation flow, a feature designed for devices with limited input, such as smart TVs and IoT hardware. In these attacks, victims are said to receive phishing emails or messages that claim to require urgent verification, document access, or account security checks. The messages often include links or QR codes, the cybersecurity firm added.

When users click the links, they are shown a device code, which is falsely presented as a one-time password or security token, according to the report. Victims are then instructed to enter the code on Microsoft's legitimate device login page.

Proofpoint explains that once the user enters the code, Microsoft authorises an OAuth access token for an attacker-controlled application, immediately granting access to the victim's Microsoft 365 account.

Because the login happens on a real Microsoft domain, many phishing detection tools fail to detect the attack. Proofpoint said successful compromises allow attackers to steal data, move laterally across corporate systems, and maintain persistent long-term access. In some cases, stolen data is later used for extortion.

Proofpoint researchers have tracked multiple threat clusters using this technique. These include financially motivated groups such as TA2723, which uses lures related to salary updates, benefits notices, and shared documents.

The firm has also observed state-aligned activity, particularly from a suspected Russia-linked group it tracks as UNK_AcademicFlare. This group reportedly uses compromised government and military email accounts to build trust before launching device code phishing campaigns targeting government, academic, and transportation sectors in the US and Europe.

The surge has been enabled by readily available phishing tools. Proofpoint identified two main kits driving the campaigns, like SquarePhish2 and Graphish. SquarePhish2 automates the OAuth device authorisation flow and often uses QR codes, while Graphish enables phishing through Azure App Registrations and adversary-in-the-middle techniques.

Researchers noted that these tools lower the technical barrier and allow attackers to scale campaigns despite the short-lived nature of device codes.

Proofpoint said the widespread use of device code phishing is unusual and represents a clear evolution in attacker behaviour. Instead of bypassing multifactor authentication, attackers abuse authentication workflows themselves, making breaches harder to detect.

The company advised organisations to restrict or block device code authentication using Conditional Access policies, closely monitor OAuth activity, and train users never to enter unsolicited verification codes, even on legitimate login pages.

Microsoft reportedly did not respond to a request for comment on the findings.