Emerging Threat: Hackers Exploit Microsoft’s OAuth Device Code for Account Takeover
In a rapidly evolving threat landscape, hackers are increasingly weaponizing a lesser-known authentication feature from Microsoft to hijack enterprise accounts. This surge in device code phishing is alarming security experts, marking a significant shift in cybercriminal tactics aimed at gaining unauthorized access to sensitive corporate information.
The uptick in device code phishing is closely linked to the public availability of various criminal toolkits and phishing-as-a-service (PhaaS) platforms. These tools have transformed what used to be an obscure method into a widely accessible threat, enabling even less technically skilled criminals to launch sophisticated attacks. New phishing kits are appearing almost weekly, with many being generated or enhanced using AI-assisted techniques known as “vibe coding,” where attackers replicate or slightly tweak existing tools to create near-identical attack chains efficiently.
Device code phishing can be viewed as a natural evolution in the tactics used for credential harvesting. As organizations bolster their defenses against traditional password theft and multi-factor authentication (MFA) bypass techniques, attackers are adapting by exploiting legitimate authentication workflows. Instead of directly stealing credentials, they trick users into authorizing malicious applications, thereby granting attackers persistent access to systems without raising immediate suspicion.
Security researchers at Proofpoint have raised alarms that adversaries are misusing the OAuth device authorization flow to capture Microsoft 365 access tokens. This enables stealthy account takeovers that often evade conventional phishing defenses.
In a typical device code phishing campaign, victims receive carefully crafted phishing emails containing links, attachments, or even QR codes that mimic trusted brands like Microsoft, DocuSign, or Adobe. Upon clicking on such links, the user is directed to a legitimate Microsoft device login process. They are then prompted to enter a unique device code at the official Microsoft login page.
However, this is precisely where attackers succeed. By entering the code, the victim unwittingly grants control of their Microsoft account to the cybercriminals. Microsoft issues authentication tokens tied to the victim’s account, which attackers can then intercept and utilize to access sensitive corporate data, emails, cloud storage, and other connected services.
A key factor contributing to the rise of this threat is the innovation of on-demand device code generation. Earlier iterations of the attack relied on pre-generated codes that expired within a short window, limiting the attackers’ chances of success. Today’s phishing kits are more advanced; they generate codes in real-time as soon as a victim clicks the offending link. This allows cybercriminals to target users continuously without worrying about code expiration.
Platforms like EvilTokens, which first surfaced on Telegram in early 2026, have streamlined this malicious process. They provide attackers with ready-made phishing templates, automated infrastructure, and tools capable of scaling business email compromise (BEC) campaigns dramatically. Affiliate users can manage multiple compromised Microsoft 365 accounts through dedicated dashboards, making it easier for them to coordinate attacks.
Moreover, threat actors are increasing their effectiveness by combining device code phishing with tactics like "account takeover jumping." This method allows a compromised email account to send phishing messages to colleagues or trusted contacts within the organization, significantly boosting the likelihood of success due to the seemingly legitimate origins of the messages.
One particularly notable group, referred to as TA4903, has made a nearly complete transition to device code phishing as of 2026. Recent campaigns attributed to this group involve impersonating HR departments and government entities to distribute PDF attachments containing QR codes. These codes redirect victims through cloud-hosted websites leading them to authentic-looking phishing pages that guide them through the device authorization process.
While many attacks demonstrate a level of sophistication, some campaigns have shown clear signs of poor operational security. Security researchers have observed emails with blank messages and exposed infrastructure details, suggesting that many attackers rely heavily on automated or AI-generated tools without fully grasping their functionality.
The overall trend illustrates a broader shift in the cybercrime ecosystem. Given recent disruptions to traditional adversarial phishing services, many threat actors are pivoting to device code phishing. Competing platforms, such as ODx and Kali365, are now incorporating device code capabilities, hastening the adoption of this fraudulent approach.
Despite the rapid proliferation of device code phishing, it still fundamentally relies on effective social engineering tactics. Much like earlier phishing campaigns, victims must be convinced to accept or enter codes into a trusted platform.
Security experts caution that organizations should focus on mitigating risks by implementing robust security measures. Recommendations include restricting or blocking device code authentication flows through conditional access policies or limiting usage to trusted devices, networks, and users.
As attackers continue to innovate and exploit authentication workflows, maintaining awareness and control over these processes is becoming increasingly critical in defending against modern cyber threats.
In a world where successful attacks can lead to devastating consequences—ranging from full account takeovers to data breaches and even ransomware deployments—organizations must stay vigilant in their efforts to safeguard their digital assets.