State-linked and criminal hackers use device code phishing against M365 users

Multiple China- and Russia-linked APTs and criminal groups have conducted active device code phishing campaigns that trick users into authorizing Microsoft 365 access via legitimate device authorization flows; attackers use tools like SquarePhish2 and the Graphish phishing kit (and sellable tools from an actor tracked as TA2723) to harvest tokens and take over M365 accounts, targeting governments, think tanks, higher education, transportation and other organizations in the U.S. and Europe.