The Token Is the Key: How OAuth Device Code Phishing Renders MFA Irrelevant

This report describes an active, large-scale phishing campaign (since Dec 2025) that weaponizes the OAuth Device Authorization Grant (RFC 8628) to trick Microsoft 365 users into entering attacker-provided device codes at microsoft.com/devicelogin, resulting in legitimate MFA-protected tokens being issued to attacker-owned applications; the stolen access and refresh tokens provide persistent read/write access across Outlook, Teams, OneDrive, and SharePoint and survive password resets unless refresh tokens are explicitly revoked. The campaign has been commoditized by tools (SquarePhish2, Graphish) used by both financially motivated groups and state-aligned actors, making detection difficult and requiring tenant-level mitigations such as blocking the device code flow via Conditional Access, tightening user consent, monitoring OAuth consent and Entra ID device-code sign-ins, and revoking tokens when compromise is suspected.