New Phishing Trend: Device Code Attacks Target M365 Users
Attackers are increasingly targeting Microsoft 365 users with a sophisticated technique known as device code authorization phishing, as warned by Proofpoint. This method represents a significant evolution in cyber threats, moving beyond traditional password theft to exploit modern authentication protocols.
The core of the attack involves abusing Microsoft's OAuth 2.0 device authorization grant flow. Users are tricked into interacting with malicious prompts that present them with device codes. When these codes are inadvertently entered by the user, they grant attackers unauthorized access tokens, effectively giving them control over enterprise accounts. This approach is particularly dangerous because it is designed to bypass multi-factor authentication (MFA) protections, which are typically robust safeguards against account compromise.
The primary risk is the complete compromise of enterprise accounts, allowing attackers to gain unauthorized access and control, potentially leading to data breaches or further malicious activities within an organization's network. This trend highlights a broader shift in attacker tactics, focusing on exploiting authentication flows rather than just credentials, underscoring the need for heightened user awareness and robust security measures that can detect and mitigate such advanced phishing attempts.
While blockchain technology phishing attacks have gained attention recently, the device code method represents a more immediate threat to M365 environments.
These sophisticated attacks often target financial institutions and their sensitive data, including information about gold reserves and other valuable assets.
(Source: https://www.helpnetsecurity.com/2025/12/18/microsoft-365-device-code-phishing/)


