Microsoft 365 Under Siege: OAuth Device Code Phishing Attacks Surge in 2025
Executive Summary
In late 2025, Microsoft 365 accounts across multiple sectors were targeted in a sophisticated phishing campaign leveraging OAuth device code authorization. Threat actors, including financially motivated group TA2723 and a Russia-aligned group tracked as UNK_AcademicFlare, deceived victims into entering attacker-provided device codes on legitimate Microsoft login portals. This granted attacker-controlled applications elevated access to organizational email and data, bypassing credentials and even multi-factor authentication protections. Attackers utilized phishing kits such as SquarePhish and Graphish, and orchestrated lures mimicking document sharing or salary bonus notifications to maximize engagement and scale. Notably, state-aligned campaigns exploited compromised government accounts to build rapport, targeting U.S. and European government, academic, and transportation sectors.
These OAuth-based phishing attacks mark a significant escalation in adversary techniques focusing on authorization abuse rather than credential theft. The surge in such activity since September 2025 demonstrates the growing adaptation of sophisticated phishing kits and highlights a strategic shift toward targeting identity and cloud permissions, reflecting evolving attack surfaces and regulatory scrutiny in cloud security.
Why This Matters Now
OAuth-based phishing attacks allow adversaries to circumvent multi-factor authentication and directly exploit legitimate trust mechanisms in cloud access. Their increasing volume and sophistication underscore urgent risks to organizations relying on Microsoft 365 and similar cloud platforms, emphasizing the need for proactive security controls and vigilance over conditional access policies.
Attack Path Analysis
Attackers initiated targeted phishing emails luring users into entering OAuth device codes on legitimate Microsoft login pages, granting the adversary access to cloud accounts without credential theft. Once authorized, adversaries potentially escalated privileges by leveraging the application access to sensitive Microsoft 365 data and services. From there, attackers could pivot within the victim's cloud environment or to additional user accounts and services. Command and control was maintained through persistent OAuth application tokens, enabling ongoing access and covert communications. Attackers then exfiltrated data via cloud APIs or exports, such as downloading mail, files, or contacts. Finally, impact could include business email compromise, internal data exposure, or preparations for future disruptive actions.
Kill Chain Progression
Initial Compromise
Description
Phishing emails tricked users into entering OAuth device codes on legitimate login portals, granting attacker-controlled applications access to Microsoft 365 accounts.
MITRE ATT&CK® Techniques
Techniques selected reflect initial access via phishing, abuse of OAuth flows, credential stealing, and post-authentication persistence; further enrichment and STIX/TAXII contextualization can be performed in later iterations.
Phishing: Spearphishing Attachment
Phishing: Spearphishing Link
Steal Application Access Token
Valid Accounts: Cloud Accounts
Use Alternate Authentication Material: Web Session Cookie
Spearphishing Link
Brute Force: Password Spraying
Event Triggered Execution: Office Application Startup
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Strong Authentication for User Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA (Digital Operational Resilience Act) – ICT Risk Management Controls
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model 2.0 – Continuous Authentication and Authorization
Control ID: Identity Pillar - Authentication
NIS2 Directive – Access Control Policies
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
OAuth device code phishing specifically targets government accounts using compromised military emails, enabling state-aligned actors to bypass MFA and access sensitive systems.
Higher Education/Acadamia
Academic institutions face targeted OAuth attacks from Russia-aligned UNK_AcademicFlare actor exploiting Microsoft 365 accounts to compromise research and educational data access.
Financial Services
TA2723 financially motivated campaigns use OAuth device code phishing to bypass traditional MFA protections, compromising Microsoft 365 accounts for credential theft and fraud.
Think Tanks
Think tanks are primary targets for state-aligned OAuth phishing attacks seeking intellectual property and policy research through compromised Microsoft 365 account takeovers.
Sources
- Microsoft 365 accounts targeted in wave of OAuth phishing attackshttps://www.bleepingcomputer.com/news/security/microsoft-365-accounts-targeted-in-wave-of-oauth-phishing-attacks/Verified
- Storm-2372 conducts device code phishing campaignhttps://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/Verified
- Phishing Attacks Exploit OAuth Device Codes to Breach Microsoft 365 Accountshttps://cyberpress.org/oauth-device-code-phishing-attacks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust Segmentation, strong egress policy enforcement, and multi-cloud visibility as provided by CNSF controls can restrict attacker movement, detect anomalous OAuth workflows, and prevent data egress even if initial user authentication boundaries are bypassed. Real-time threat detection and distributed enforcement limit the window and impact of such OAuth-based account takeovers.
Control: Threat Detection & Anomaly Response
Mitigation: Detection of anomalous OAuth consent events and high-risk user authentication behaviors.
Control: Zero Trust Segmentation
Mitigation: Limits application access based on granular identity-based policy and least privilege segmentation.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized lateral movement between sensitive workloads and user segments.
Control: Multicloud Visibility & Control
Mitigation: Detects and alerts on persistent anomalous access and unauthorized command channels.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unauthorized outbound transfers and flags suspicious data egress attempts.
Reduces blast radius and supports rapid containment of affected user sessions and compromised applications.
Impact at a Glance
Affected Business Functions
- Email Communications
- Document Management
- Collaboration Tools
Estimated downtime: 3 days
Estimated loss: $500,000
Unauthorized access to sensitive emails, documents, and internal communications, potentially leading to data exfiltration and compliance violations.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation and restrict OAuth application consent to only approved, necessary apps.
- • Enforce egress filtering and policy enforcement to block suspicious data exfiltration from cloud services.
- • Deploy continuous anomaly detection to identify malicious application authorizations and unusual user behaviors.
- • Leverage multi-cloud visibility for centralized monitoring of OAuth, API, and internal traffic activities.
- • Automate threat response and session isolation with cloud-native fabric controls to contain account takeovers rapidly.
