Device Code Phishing Surge Bypasses MFA, Threatening Microsoft 365 and Google Workspace Accounts
What Happened – Proofpoint observed a rapid explosion of “device code phishing” toolkits and phishing‑as‑a‑service offerings that abuse the OAuth 2.0 device‑authorization grant flow. Attackers send phishing links that prompt users to approve a malicious app, granting access to Microsoft 365 or Google accounts and effectively bypassing MFA.
Why It Matters for TPRM –
- Enables large‑scale credential compromise of SaaS platforms that many third‑party vendors rely on.
- Bypasses traditional MFA controls, reducing the effectiveness of a core security control.
- Increases supply‑chain risk: compromised accounts can be used to launch further phishing or exfiltrate data from partner ecosystems.
Who Is Affected – Cloud SaaS providers (Microsoft 365, Google Workspace), enterprises that consume these services, IAM and identity‑management vendors, and any third‑party that integrates via OAuth.
Recommended Actions – Review and tighten MFA and conditional‑access policies, monitor OAuth consent logs for anomalous app approvals, block unknown device‑code grant flows, educate users on the new phishing vector, and assess third‑party app vetting processes.
Technical Notes – Attack vector: OAuth 2.0 device‑authorization grant flow delivered via phishing emails, QR codes, or malicious documents; “vibe‑coded” LLM‑generated tools automate the flow. No specific CVE; the threat leverages legitimate protocol misuse. Source: Proofpoint Threat Insight – Device Code Phishing is an Evolution in Identity Takeover