Device Code Phishing Campaign Compromises Microsoft 365 Accounts in 340+ Organizations Across Five Countries
What Happened — Researchers at Huntress identified an active phishing campaign that abuses Microsoft 365’s device‑code OAuth flow. By sending crafted emails, the attackers convince users to authorize a malicious application, which then receives a valid access token and full delegated rights to the victim’s tenant. The campaign has been observed in more than 340 organizations in the United States, Canada, Australia, New Zealand and Germany since 19 Feb 2026.
Why It Matters for TPRM
- Credential theft via OAuth grants attackers persistent, low‑friction access to corporate data stored in Exchange, SharePoint, Teams, and OneDrive.
- Many third‑party risk assessments rely on the security posture of SaaS providers; compromised tenant tokens bypass traditional perimeter controls.
- The abuse highlights the need to monitor and restrict consent for third‑party applications across all cloud services.
Who Is Affected — Enterprises of any size that use Microsoft 365, spanning finance, healthcare, education, manufacturing, and professional services.
Recommended Actions
- Enforce Multi‑Factor Authentication (MFA) for all privileged and regular accounts.
- Disable the device‑code flow where it is not required, or restrict it to approved client IDs.
- Regularly audit Azure AD consent logs for unknown applications and revoke suspicious permissions.
- Conduct user‑awareness training focused on OAuth‑based phishing techniques.
- Update incident‑response playbooks to include token‑theft detection and rapid revocation.
Technical Notes — Attack vector: phishing email that initiates the OAuth device‑code flow (attack_vector_code = PHISHING). No known CVE; the abuse leverages legitimate Microsoft authentication endpoints. Compromised data includes email, files, Teams chats, and any other resources accessible via the granted token. Source: The Hacker News