State actors are abusing OAuth device codes to get full M365 account access - here's what we know

1. Pro
2. Security

State actors are abusing OAuth device codes to get full M365 account access - here's what we know News By Sead Fadilpašić published 19 December 2025

Researchers spotted multiple groups using the same technique

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock) Share Share by:

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google

• Proofpoint reports phishing surge abusing Microsoft OAuth 2.0 device code flow
• Victims enter codes on real Microsoft domains, granting attackers access tokens
• Proofpoint advises blocking device code flows

Cybercriminals, including state-sponsored threat actors, are increasingly abusing Microsoft’s OAuth 2.0 device code authentication flow to take over Microsoft 365 accounts.

This is according to a new report by cybersecurity researchers Proofpoint. In a new paper published on December 18, researchers confirm that have seen a sharp escalation of social engineering attacks since September 2025, in which victims are tricked into granting access to their accounts.

The attack usually starts with a phishing email containing either a link or QR code. Victims are then told that in order to view the contents, they need to reauthenticate their account by entering a device code into Microsoft’s login page.

You may like

• Experts warn Microsoft Copilot Studio agents are being hijacked to steal OAuth tokens
• Hackers are exploiting OAuth loophole for persistent access - and resetting your password won't save you
• Microsoft 365 users targeted by major new phishing operation - here's how to stay safe

Russians, Chinese, and others

Once they enter the code, the threat actors receive an access token tied to their account, not only giving them access, but enabling email monitoring, lateral movement, and more.

The login happens on a real Microsoft domain, Proofpoint further explains, which means that traditional phishing defenses and user awareness checks are mostly useless. The attackers aren’t actually stealing passwords, or MFA codes, so no alarms are triggered there, either.

Proofpoint says there are multiple groups currently abusing this technique, including TA2723 (a financially motivated threat actor), UNK_AcademicFlare (a Russian state-sponsored threat actor targeting government and military email accounts for cyber-espionage purposes), and multiple groups from China.

It was also said that the criminals are using different phishing frameworks, such as SquarePhish 2 and Graphish, which automates device code abuse, supports QR codes, and integrates with Azure app registrations. This lowers the barrier to entry and allows even low-skilled threat actors to engage in attacks.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Proofpoint believes the abuse of OAuth and device code authentication is likely to grow, especially as organizations adopt paswordless and FIDO-based authentication and recommends blocking device code flows via Conditional Access where possible.

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Show More Comments

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Experts warn Microsoft Copilot Studio agents are being hijacked to steal OAuth tokens    Hackers are exploiting OAuth loophole for persistent access - and resetting your password won't save you    Microsoft 365 users targeted by major new phishing operation - here's how to stay safe    Microsoft's branding power is being used by criminals to funnel victims to tech support scam centers - here's what you need to know    Watch out - this fake Microsoft Teams app is actually dangerous malware, here's how to stay protected    Fake Facebook Business pages are bombarding users with phishing messages - so what can be done?    Latest in Security Auto giant LKQ says it's the latest firm to be hit by Oracle EBS data breach    Having Windows app issues? Microsoft is making businesses reach out directly to get a fix    CISA reveals warning on Asus software flaw, here's what you need to do to stay safe    A massive new DDoS botnet has already snared 1.8 million devices - here's what we know about Kimwolf    AI-generated code contains more bugs and errors than human output    Cisco says Chinese hackers are exploiting its customers with a new zero-day    Latest in News Lenovo leaks show Legion Go 2 with SteamOS and rollable gaming laptop specs    Android 16 gets early access to 163 new emojis that'll soon be everywhere    Firefox will have an AI ‘kill switch’ as it faces massive user backlash    Fortnite Winterfest 2025 skins: every free and paid-for Outfit    Pinned chats in ChatGPT are here – and so is a mildly annoying restriction    Criminals might use ‘GhostPairing’ to hijack your WhatsApp account – here’s how to stop them    LATEST ARTICLES

1. 1State actors are abusing OAuth device codes to get full M365 account access - here's what we know
2. 2TechRadar Gaming’s Game of the Year list 2025: our top 20 games from this year
3. 3'Epic' Spartacus: House of Ashur episode 4 fight scene changes the Gladiator game — and is unlike anything we've seen so far
4. 4Lenovo leaks reveal surprise SteamOS-powered Legion Go 2 – and full specs for its bold rollable OLED gaming laptop
5. 5Android 16 users can get early access to 163 new emojis that'll soon be everywhere – here’s how