Microsoft 365 accounts targeted in wave of OAuth phishing attacks

Proofpoint reports a surge in OAuth device-code phishing attacks targeting Microsoft 365 accounts where users are lured to enter device codes on Microsoft’s legitimate device login page, unknowingly granting attacker-controlled applications access and enabling account takeover without credential theft or MFA bypass; campaigns use phishing kits like SquarePhish and Graphish and involve financially motivated and state-aligned actors (e.g., TA2723 and UNK_AcademicFlare), primarily targeting government, academic, think-tank, and transportation sectors, with recommendations to apply Microsoft Entra Conditional Access and sign-in origin policies.