OAuth Device Code and Malicious App Abuse to Gain Persistent Access in Microsoft Entra ID/Microsoft 365
Threat actors are increasingly abusing OAuth in Microsoft Entra ID and Microsoft 365 to obtain access/refresh tokens that provide durable access even when passwords are reset and MFA is enabled. Reported activity includes both (1) malicious OAuth app registrations and deceptive consent prompts that masquerade as legitimate “business integrations,” and (2) abuse of the OAuth 2.0 Device Authorization Grant (device code flow) where victims authenticate on Microsoft’s legitimate device login portal, making the intrusion harder to detect with credential-focused controls.
Multiple reports describe campaigns targeting business users and organizations (including technology, manufacturing, and financial sectors) to access resources such as Outlook, Teams, and OneDrive and to enable mailbox actions and data access under seemingly legitimate application activity. Research and incident reporting highlight that attackers can persist via service principals created in victim tenants after consent is granted, and that some integrations may remain effective even if the consenting user is later disabled; separate reporting also describes device-code vishing/phishing that leverages legitimate Microsoft OAuth client IDs and standard login workflows to capture tokens without attacker-hosted phishing pages, with one source attributing the vishing activity to ShinyHunters (unconfirmed by Microsoft at the time of reporting).
Timeline
Feb 19, 2026
Sources attribute Entra device-code vishing activity to ShinyHunters
Sources told reporters they believed the device-code vishing intrusions against Microsoft Entra accounts were conducted by ShinyHunters, and the threat actors later confirmed this attribution, though independent verification was not established.
Feb 19, 2026
Device-code vishing attacks hit Microsoft Entra accounts
Threat actors began targeting technology, manufacturing, and financial organizations with combined device-code phishing and voice phishing attacks against Microsoft Entra accounts, abusing legitimate Microsoft OAuth client IDs and standard login pages to obtain valid tokens.
Dec 1, 2025
Device-code campaign targets North American Microsoft 365 business users
An ongoing campaign targeted Microsoft 365 business users in North America by directing victims to Microsoft's legitimate device login portal, where attacker-supplied device codes enabled theft of OAuth access and refresh tokens for persistent access to Outlook, Teams, and OneDrive.
Dec 1, 2025
KnowBe4 first observes device-code phishing campaign
KnowBe4 Threat Labs first observed a device-code phishing campaign in December 2025 targeting Microsoft 365 users with lures such as payment configuration prompts, document-sharing alerts, bonus-related documents, and voicemail notifications.
Feb 1, 2025
Microsoft highlights device-code phishing targeting Microsoft 365
Microsoft previously warned that device-code phishing was being used to target Microsoft 365 accounts, documenting abuse of the OAuth 2.0 Device Authorization flow as a credential and token theft technique.
Jan 1, 2025
Proofpoint links fake Microsoft OAuth apps to early-2025 campaigns
Proofpoint reported that early-2025 phishing campaigns used impersonated Microsoft OAuth app themes such as Adobe and DocuSign, along with adversary-in-the-middle phishing kits, to steal tokens and establish persistent access in Microsoft 365 environments.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Organizations
Sources
Related Stories
Phishing Attacks Exploiting OAuth Device Code Authorization for Microsoft 365 Account Takeover
Threat actors are increasingly leveraging OAuth 2.0 device code authorization flows to compromise Microsoft 365 accounts through sophisticated phishing campaigns. Proofpoint researchers have observed both state-aligned and financially motivated groups using social engineering tactics to trick users into granting access to malicious applications, resulting in account takeovers, data exfiltration, and broader SaaS supply chain abuse. Attackers initiate these campaigns with phishing messages containing URLs or QR codes that, when followed, prompt users to authorize access for rogue applications, ultimately handing over OAuth tokens to the adversaries. Industry analysis highlights that identity-first intrusions, including device code flow phishing and illicit OAuth consent, have driven significant data breaches and business email compromise incidents in 2025. Notable cases include the exploitation of connected apps to exfiltrate data from Salesforce tenants and major financial impacts on organizations such as Marks & Spencer. Security experts recommend enforcing phishing-resistant MFA, governing OAuth consent, and deprecating device code flows where feasible to mitigate these risks. Regulatory changes are also pushing organizations to strengthen identity and SaaS governance in response to these evolving threats.
2 weeks ago
Microsoft Reports OAuth Redirect Abuse Used to Deliver Malware to Government Targets
Microsoft reported phishing campaigns targeting **government and public-sector organizations** that abuse legitimate **OAuth redirect** behavior in identity providers (including **Microsoft Entra ID** and **Google Workspace**) to send victims from seemingly benign authorization URLs to attacker-controlled infrastructure. The technique does not rely on exploiting a software vulnerability or stealing OAuth tokens; instead, attackers register a **malicious OAuth application** in a tenant they control, then send victims an OAuth link that triggers an error flow (e.g., via an intentionally invalid scope) to force a redirect to a rogue domain hosting malware. Microsoft said the delivered payloads have included **ZIP archives** that lead to execution chains involving **LNK-based execution**, **PowerShell**, and **DLL side-loading**, consistent with follow-on hands-on-keyboard or pre-ransomware activity. Microsoft stated it disabled the identified malicious OAuth applications in Entra ID, but warned that **related OAuth abuse activity persists** and requires continued monitoring. Reported lures used in the phishing emails included e-signature requests, access to *Teams* meeting recordings, Microsoft 365 password reset instructions, and political themes; Microsoft also observed indicators consistent with the use of free mass-mailing tools and custom tooling (including **Python** and **Node.js**) to distribute the campaigns and deliver malware capable of endpoint takeover.
1 months ago
EvilTokens Turns Microsoft Device Code Phishing Into a Scalable Account Takeover Service
Researchers identified **EvilTokens** as a new phishing-as-a-service platform built to hijack **Microsoft 365** accounts by abusing Microsoft’s legitimate OAuth 2.0 **device code** authentication flow. Sold and operated through Telegram bots, the service gives affiliates phishing templates, email harvesting and reconnaissance features, automated Microsoft API interactions, webmail access, and mailbox triage capabilities. Victims are lured into entering attacker-supplied device codes on Microsoft’s real login page, allowing attackers to capture access and refresh tokens—and in some cases a **Primary Refresh Token**—without stealing passwords or directly defeating MFA. Security teams linked a sharp rise in device code phishing to EvilTokens, describing it as the first known turnkey PhaaS offering dedicated Microsoft device code phishing pages and warning that it lowers the barrier for low-skill operators. More than **1,000 phishing domains** were observed by late March, with campaigns affecting organizations worldwide and notable activity in the United States, Australia, Canada, France, India, Switzerland, and the United Arab Emirates; finance, HR, and transportation/logistics staff were highlighted as frequent targets. Researchers from Sekoia and Mnemonic urged defenders to disable or restrict unnecessary device code flows in **Microsoft Entra ID**, monitor device code grant sign-ins for anomalies, train users on device authentication abuse, and revoke refresh tokens when compromise is suspected.
4 weeks ago