Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse

Hold up — a massive device code phishing campaign just slammed over 340 Microsoft 365 organizations across five countries since February 2026. This isn't your grandma's phishing email — it's a sophisticated OAuth abuse operation that hijacks authentication tokens for persistent account takeover.

The attack exploits Microsoft's device code flow — you know, that 'enter this code at microsoft.com/devicelogin' thing for IoT and CLI auth. Threat actors are weaponizing it to bypass MFA and snag long-lived OAuth tokens, giving them stealthy, persistent access to corporate accounts.

Here's the play-by-play: attackers send phishing emails with a fake Microsoft login page. When victims enter credentials, the page triggers a device code request. The victim gets a legit Microsoft prompt to enter a code at microsoft.com/devicelogin — but the attacker already has the code and can authenticate from their own device, grabbing OAuth tokens that last for hours or days.

This is next-level persistence — once they have those OAuth tokens, attackers can access emails, SharePoint, Teams, and other M365 services without needing passwords again. It's like giving them a master key to your digital office.

The campaign shows how threat actors are evolving beyond credential stuffing to exploit authentication protocols themselves. OAuth abuse is becoming the new frontier for enterprise attacks — and Microsoft's device code flow is just the latest vector.

Defenders need to monitor for suspicious device code authentications, review OAuth app permissions regularly, and educate users about this new phishing variant. Because when attackers can bypass MFA with a simple code entry, traditional security playbooks need a serious update.