Published on May 16, 2026
Hackers Exploit OAuth Device Flow to Steal Microsoft 365 Tokens
Severity
Medium
Threat actors are increasingly abusing the OAuth device authorization flow to compromise Microsoft 365 accounts through device code phishing attacks.
The technique leverages legitimate Microsoft authentication workflows to trick users into authorizing attacker-controlled applications instead of directly stealing credentials. Once authorization is granted, attackers obtain authentication tokens that can be used to access email, cloud data, and connected services without requiring passwords or bypassing MFA through traditional methods.
The rise in activity has been linked to the growing availability of phishing-as-a-service (PhaaS) platforms and publicly accessible criminal toolkits. Many newer phishing kits appear to be generated or modified using AI-assisted development techniques, enabling threat actors to rapidly replicate and scale similar attack campaigns.
According to researchers at Proofpoint, attackers commonly distribute phishing emails containing malicious links, attachments, or QR codes impersonating trusted services such as Microsoft, DocuSign, or Adobe. Victims are redirected to legitimate Microsoft device login pages and instructed to enter a provided device code.
By entering the code, victims unknowingly authorize malicious applications controlled by attackers. Microsoft subsequently issues access tokens associated with the victim’s account, enabling unauthorized access to enterprise resources.
Recent phishing kits have improved operational efficiency by dynamically generating device codes when victims access phishing links. This removes earlier limitations caused by short-lived pre-generated codes and allows campaigns to operate continuously at scale.
Platforms such as EvilTokens have further industrialized these attacks by offering phishing templates, automated infrastructure, and dashboards for managing compromised Microsoft 365 accounts. Threat actors are also combining device code phishing with account takeover techniques, using compromised accounts to distribute additional phishing emails internally or to trusted contacts.
One threat actor tracked as TA4903 has reportedly adopted device code phishing extensively throughout 2026. Observed campaigns impersonated HR departments and government agencies while distributing PDF attachments containing QR codes that redirected victims to phishing infrastructure designed to mimic legitimate authentication workflows.
Researchers also noted signs of weak operational security in some campaigns, including exposed infrastructure details and incomplete phishing emails, suggesting widespread use of automated or AI-generated tooling by less experienced operators.
The technique has gained traction following disruptions to traditional adversary-in-the-middle (AiTM) phishing services, prompting several phishing platforms to integrate device code authentication abuse into their offerings.
Successful exploitation may result in account compromise, data theft, business email compromise (BEC), financial fraud, lateral movement, ransomware deployment, or long-term espionage activity within enterprise environments.
Recommendation
Users are advised to take the following precautions to reduce the risk of device code phishing attacks and unauthorized account access:
- Do not enter device codes or scan QR codes received through unsolicited emails or messages.
- Verify login requests carefully, even when redirected to legitimate Microsoft authentication pages.
- Exercise caution when receiving emails impersonating trusted services such as Microsoft, DocuSign, or Adobe.
- Report suspicious authentication requests or phishing emails to the IT or security team immediately.
- Avoid approving authentication or access requests that were not personally initiated.
IT and security teams are advised to monitor authentication logs for suspicious OAuth device authorization activity, restrict device code authentication flows where possible, and enforce conditional access policies to limit authentication requests to trusted users, devices, and network locations.
IOCs
| Indicator | Description | First Seen |
| onedrive-7tu[.]techroboticslabmade-techie-com-s-account[.]workers[.]dev | EvilTokens Device Code Phishing Landing | 26 March 2026 |
| voicemail-59f[.]admin-treyripple-com-s-account[.]workers[.]dev | EvilTokens Device Code Phishing Landing | 24 March 2026 |
| voicemail-wx7[.]mark-squires-expressrancnes-com-s-account[.]workers[.]dev | EvilTokens Device Code Phishing Landing | 24 March 2026 |
| voicemail-lyr[.]nbuckley-cambek-com-s-account[.]workers[.]dev | EvilTokens Device Code Phishing Domain | 24 March 2026 |
| f8uh-dwam-j4l5[.]pvasquez-princetonpartners-com-s-account[.]workers[.]dev | EvilTokens Device Code Phishing Landing | 1 May 2026 |
| ytgw-9n30-xlwd[.]pvasquez-princetonpartners-com-s-account[.]workers[.]dev | EvilTokens Device Code Phishing Landing | 1 May 2026 |
| z6e43e5886fe-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| 019d442e-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| jo2c9ada427c6-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| 7806d4cf9366-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| ee10bbf6c689-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| yaga9b286ae2c101-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| f36c2774f013-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| 2dc62559e005-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| 4daa2aea93db-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| ed5ce47d835f-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| 6dd5fd945b34-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| 0fdba029e6a5-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| 019d442a-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| 019d6860-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| stablewebsystems[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| marktkarree-langenfeld[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| crediblebizextension[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| servicewithoutinterruption[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| marketcredibilitysignals[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| kohlhoff-edelstahlverarbeitung[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| reliablesupport[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| europetrustwave[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| trustedengagement[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| methodicalness[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| extendyourcredibility[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| europesignaltrust[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| consistentdigital[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| uninterruptedperformance[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| digitalcontinuity[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| digitalreliability[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| heilbronner-fruehlingssymposium[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| reliableinteractions[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| euromarketsignal[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| audit-report-9767d3[.]fullerjp09[.]workers.dev | TA4903 Device Code Phishing Landing | 15 April 2026 |
| hti-245401512[.]hs-sites-na2[.]com | TA4903 Device Code Phishing Landing | 5 April 2026 |
| 7740f766-8d1d-46ad-a6bc-onedrive[.]p-9jluifuu[.]workers[.]dev | ARToken Device Code Landing | 2 May 2026 |
| panel[.]hewktree[.]net | ARToken Device Code Panel | 2 May 2026 |
Source