Hackers Abuse “Device Codes” to Bypass Security and Seize Microsoft 365 Accounts
Ddos 
URL redirect from email message to OTP generation site | Image: Proofpoint
Cybercriminals have found a new way to turn corporate security protocols against themselves, weaponizing a legitimate Microsoft authentication feature to steal user accounts. A new report from the Proofpoint Threat Research Team details a surge in “Device Code Phishing,” a technique where attackers trick users into handing over total control of their accounts by simply entering a code on a trusted website.
The campaign highlights a shift in tactics: instead of stealing passwords directly, hackers are stealing the “keys” to the account itself via the OAuth 2.0 protocol.
The attack exploits the device authorization grant flow, a feature designed to help users log into devices with limited input capabilities, like smart TVs or printers. When legitimate, a device displays a code, and the user enters it on a separate computer or phone to authorize access.
Attackers have hijacked this process. They send phishing emails containing a code and a link to the official Microsoft login portal (microsoft.com/devicelogin). Because the URL is legitimate, standard phishing training often fails.
“Traditional phishing awareness often emphasizes checking URLs for legitimacy. This approach does not effectively address device code phishing, where users are prompted to enter a device code on the trusted Microsoft portal,” the report warns.
This is not an isolated technique used by a single group. Proofpoint researchers have observed “multiple threat clusters – both state-aligned and financially-motivated” adopting this method.
The goal is simple but devastating: Account Takeover (ATO). Once the user enters the code, the attacker’s malicious application is granted a token that allows persistent access to the victim’s Microsoft 365 account. This access can be used for “data exfiltration, and more,” often bypassing the need for the user’s password in future sessions.
The success of these attacks relies heavily on manipulating user psychology. The lures often mimic security alerts or administrative requests, creating a sense of urgency.
“These campaigns rely heavily on social engineering, most often using lures with embedded URLs or QR codes to trick users into thinking they are securing their accounts”.
By framing the attack as a security update or a required verification, attackers convince users to perform the very action that compromises them.
As organizations tighten their defenses with Multi-Factor Authentication (MFA) and FIDO keys, attackers are forced to find workarounds. Abusing valid authorization flows appears to be the next frontier.
“Proofpoint assesses that the abuse of OAuth authentication flows will continue to grow with the adoption of FIDO compliant MFA controls,” the researchers concluded.
Donate