A large-scale device code phishing campaign is actively targeting Microsoft 365 users across more than 340 organizations, signaling a sharp rise in identity-focused cyberattacks. The campaign spans multiple regions, including the United States, Canada, Australia, New Zealand, and Germany, and is affecting a wide range of industries such as construction, healthcare, financial services, government, and legal sectors.
The attack stands out for its sophisticated use of legitimate cloud infrastructure and identity workflows, allowing threat actors to bypass traditional security defenses while gaining persistent access to compromised accounts. By exploiting trusted services and authentication mechanisms, attackers are able to operate with a level of stealth that makes detection significantly more difficult.
At the core of the campaign is a technique known as device code phishing, which abuses the OAuth device authorization flow. Instead of stealing passwords directly, attackers trick users into entering a legitimate device code on an official Microsoft login page. Once the victim completes authentication – including multi-factor authentication – the attacker gains access tokens that allow continued access to the account.
What makes this method particularly dangerous is that these tokens remain valid even if the user resets their password, enabling attackers to maintain control over compromised accounts without triggering immediate suspicion.
The attack chain begins with highly convincing phishing emails that often impersonate business communications such as construction bids, document-sharing requests, voicemail alerts, or DocuSign notifications. These emails contain malicious links embedded within legitimate redirect services, allowing them to bypass spam filters and security gateways.
Victims who click the links are routed through a complex chain of redirects involving compromised websites and trusted cloud platforms before landing on a phishing page. These pages are designed to appear legitimate and dynamically generate device codes, instructing users to authenticate via the official Microsoft device login portal.
Once the user enters the code and completes authentication, the attacker retrieves the associated access and refresh tokens, effectively hijacking the session. Because the process uses genuine Microsoft infrastructure, there are minimal visual cues to alert users that anything is wrong.
A notable aspect of the campaign is its heavy reliance on cloud-based infrastructure to scale operations. Redirects are frequently handled through Cloudflare Workers, while stolen session data is funneled into attacker-controlled environments hosted on Railway, a platform-as-a-service provider. This combination allows attackers to automate credential harvesting while blending malicious activity with legitimate cloud traffic.
The campaign also demonstrates a high level of operational maturity, incorporating phishing-as-a-service capabilities. Tools associated with the operation enable attackers to generate phishing links, manage campaigns, and evade detection using open redirects and trusted domains. Advanced anti-analysis techniques are also employed on phishing pages, including disabling right-click functionality, blocking developer tools, and detecting debugging environments to prevent investigation.
This evolving threat highlights a broader shift toward identity-based attacks that exploit trust in widely used cloud platforms. By leveraging legitimate authentication flows and enterprise services, attackers are reducing their reliance on traditional malware and increasing their success rates.
Organizations are advised to strengthen their identity security posture by closely monitoring sign-in activity, revoking suspicious access tokens, and restricting authentication attempts from untrusted infrastructure. Additionally, user awareness remains critical, particularly around unexpected requests to authenticate using device codes or unfamiliar login prompts.
As attackers continue to refine these techniques, device code phishing is emerging as a powerful and persistent threat vector – one that challenges conventional security controls and underscores the importance of proactive identity protection strategies.
Recommended Cyber Technology News :
- NetSTAR and Varist Partner to Fight AI Cyber Threats
- Boost Security Launches AI Developer Endpoint Protection
- FBI Warns of Phishing Attacks on Signal, WhatsApp
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
