Home About Courses Live Batches Private Sessions Labs Cyber Bulletin Verify Contact

Login

Device Code Phishing Hits 340+ Microsoft 365 Orgs via OAuth Abuse

Published on: March 26, 2026

Share:
Device Code Phishing Hits 340+ Microsoft 365 Orgs via OAuth Abuse

Overview:
A large-scale phishing campaign has been identified targeting Microsoft 365 (O365) users by abusing the OAuth device authentication process. This attack known as Device Code Phishing, tricks users into logging in through legitimate Microsoft pages and unknowingly grants attackers access to their accounts.

The key concern with this attack is that it provides persistent access using authentication tokens, which remain valid even after the user resets their password, making it highly dangerous and difficult to detect using traditional methods.

Who It Impacts:
This attack affects organizations using Microsoft 365 (O365) and Microsoft Entra ID (Azure AD) for authentication.

It has been observed across multiple industries, including: Construction, Healthcare, Financial Services, Government, Legal, Real Estate, Non-Profit Organizations.

How It Impacts:
The attack exploits the legitimate OAuth device login flow. The attacker first generates a device authentication code and sends it to the victim via a phishing email, often disguised as a DocuSign request, voicemail notification, or document-sharing alert.

The victim is redirected through multiple trusted services (such as security vendor links, Cloudflare, or Vercel) to a phishing page that displays the device code. The user is then prompted to authenticate on the official Microsoft login page (microsoft[.]com/devicelogin).

Once the user enters their credentials and completes multi-factor authentication (MFA), Microsoft generates access and refresh tokens. Since the attacker already knows the device code, they can retrieve these tokens and gain unauthorized access to the account.

This access persists even if the password is changed, allowing attackers to read emails, access files, and potentially move laterally within the environment.

IOC's (Indicators of Compromise):

Malicious IP Addresses:
162.220.234[.]41
162.220.234[.]66
162.220.232[.]57
162.220.232[.]99
162.220.232[.]235

Suspicious Infrastructure:
Railway (PhaaS hosting attacker infrastructure)
Cloudflare Workers (workers[.]dev)
Vercel (used in redirect chains)

Phishing Indicators:
Emails themed as DocuSign, voicemail, or file-sharing requests
Links using trusted redirect services (Cisco, Mimecast, Trend Micro)
Device login prompts via microsoft[.]com/devicelogin

Recommendations:

  • Monitor Microsoft 365 sign-in logs for device code authentication events and suspicious login activity.
  • Revoke all active refresh tokens for users suspected to be compromised.
  • Block access from known malicious IP addresses and restrict authentication from untrusted locations.
  • Disable or restrict Device Code Flow if it is not required in the environment.
  • Implement Conditional Access Policies, including location-based restrictions and device compliance checks.
  • Enable Identity Protection and risk-based sign-in policies in Azure AD.
  • Educate users to avoid entering authentication codes received via email and to use only official login portals.

Reference Link:

https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html

← Back to all bulletins