.png){kind=small}
Proofpoint Finds Legitimate Login Flows Powering Account Takeovers
Recent research from Proofpoint highlights a growing trend in identity-based attacks. Rather than stealing passwords or exploiting software flaws, multiple threat actors are now abusing legitimate Microsoft authentication workflows to gain access to Microsoft 365 accounts at scale.
This technique, known as device code phishing, is not new. What is new is how widespread the technique has become, particularly among both state-aligned and financially motivated adversaries. More importantly, it underscores a recurring theme in modern security incidents. The attack succeeds not because a control failed, but because it was not properly configured to stop this behavior.
What Proofpoint Discovered
Proofpoint’s Threat Research team is tracking multiple threat clusters using OAuth 2.0 device authorization grant flows to compromise Microsoft 365 accounts. Successful attacks result in account takeover, data exfiltration, lateral movement, and persistent access.
The attack pattern relies heavily on social engineering. Victims are lured into clicking links or scanning QR codes that initiate a legitimate Microsoft device authorization process. The user is presented with a device code and instructed to enter it at Microsoft’s official device login page. Because the authentication occurs on a trusted Microsoft domain, many users do not perceive this as suspicious.
Once the user enters the code and authenticates, Microsoft issues an access token tied to an attacker-controlled application. That token is then retrieved by the threat actor, granting them access to the victim’s Microsoft 365 account without ever capturing a password.
Proofpoint observed a significant increase in these campaigns beginning in September 2025. The activity spans both state-aligned groups, including a Russia-linked cluster tracked as UNK_AcademicFlare, and cybercriminal actors such as TA2723. The campaigns target government, think tanks, higher education, transportation, and energy sectors across the U.S. and Europe.
What makes this especially concerning is the maturity of the tooling. Red team frameworks like SquarePhish2 and crimeware kits like Graphish have lowered the barrier to entry, allowing even low-skilled actors to run highly convincing OAuth-based phishing campaigns at scale.
Why This Attack Works So Well
From a defender’s perspective, device code phishing is uncomfortable because nothing is technically broken.
The authentication flow is legitimate. The login page is real. The user authenticates successfully. Multifactor authentication does not stop the attack because the user willingly completes it. From the identity platform’s point of view, everything looks normal.
This is precisely why attackers favor this technique. It bypasses traditional phishing defenses, avoids credential theft entirely, and exploits gaps in configuration rather than flaws in code.
It also aligns with a broader trend. As organizations strengthen MFA and reduce reliance on passwords, attackers are shifting toward abusing trust relationships, authentication flows, and identity features that were enabled for convenience but never fully constrained.
The Configuration Gap Behind the Breach
At its core, device code phishing is a configuration hygiene problem.
OAuth device authorization was designed for specific scenarios, such as authenticating devices with limited input capabilities. In some environments, however, this flow is enabled broadly by default and left unrestricted, even when there is no legitimate business need for most users to ever use it.
Over time, identity environments accumulate risk in subtle ways. Authentication methods are enabled “just in case.” Conditional Access policies focus on MFA enforcement but not on which authentication flows are allowed. Exceptions pile up. Visibility into how tokens are issued and used remains limited.
This creates an ideal environment for abuse. Attackers do not need to defeat controls if those controls never governed the behavior being exploited.
Configuration Hygiene To Harden Defenses
The Proofpoint research outlines several mitigations, but one stands out as a particularly important example of proactive configuration hygiene in Microsoft Entra ID.
Blocking device code authentication flows where they are not required
Using Conditional Access Authentication Flows to block the OAuth device authorization grant is the strongest mitigation. If the flow is blocked, no device code can be redeemed and no access token can be issued, regardless of how convincing the phishing lure is.
For organizations that still require device code authentication for limited use cases, an allow-list approach is far safer. Restricting the flow to specific users, locations, operating systems, or trusted IP ranges significantly reduces the attack surface.
The Bigger Lesson for Defenders
What this research reinforces is a familiar but often overlooked truth. Many of today’s most effective attacks succeed not because defenses fail, but because security teams lack continuous assurance that their controls are configured as intended.
Identity platforms are powerful, flexible, and complex. That flexibility is a strength, but only when it is paired with disciplined configuration management and ongoing validation. Point-in-time reviews and “set it and forget it” policies are no longer enough.
Attackers are increasingly fluent in how identity systems actually work. They study default behaviors, optional features, and rarely used authentication flows, and then design campaigns around whatever is least constrained.
Preemptively closing gaps means understanding not just what controls exist, but how they interact, how they drift over time, and whether they still align with current security policy and real-world usage.
Device code phishing is just one example. It certainly won’t be the last.
The organizations that fare best will be those that actively address misconfigurations, achieve visibility that is “control-aware”, and validate continuously.
