State-linked and criminal hackers use device code phishing against M365 users

Multiple nation-state and criminal groups are running device code phishing campaigns that trick users into entering Microsoft device authorization codes to grant attackers access to Microsoft 365 accounts; campaigns leverage kits such as SquarePhish2 and Graphish and have targeted governments, think tanks, higher education and transportation organizations in the US and Europe.