Device Code Phishing Hits 340+ Microsoft 365 Orgs

What Happened

A widespread and sophisticated device code phishing campaign has successfully targeted over 340 Microsoft 365 organizations across the United States, Canada, Australia, and other countries. Threat actors are exploiting the Microsoft OAuth device code flow to bypass multi-factor authentication (MFA) and steal credentials. This campaign correlates with a separate but methodologically similar threat: attackers are also abusing the no-code Bubble platform to create malicious web apps that host credential-stealing phishing pages, evading traditional detection mechanisms. These attacks occur against a backdrop of evolving cybercrime, highlighted by the recent arrest of a major credential marketplace administrator, which may temporarily disrupt the supply chain for stolen data.

Why It Matters

This campaign represents a significant escalation in identity-based attacks. By targeting the OAuth device code flow-a legitimate feature used for authenticating devices like smart TVs or IoT hardware-attackers have found a way to circumvent one of the most critical security controls: MFA. The scale, affecting hundreds of diverse organizations, indicates a highly automated and effective operation. The parallel abuse of legitimate platforms like Bubble for hosting underscores a trend of attackers weaponizing trusted services to lend credibility to their attacks and bypass security filters, making traditional URL blocklisting less effective.

Technical Details

The attack leverages the Microsoft OAuth device code grant flow. Typically, a user is presented with a device code to enter at microsoft.com/link. In this campaign, attackers generate a device code and embed it in a phishing email. The victim is directed to a malicious page (often hosted on a service like Bubble) that displays the code and urges them to sign in at the legitimate Microsoft verification page. Once the user completes the authentication on the real Microsoft site, the threat actor’s malicious application, which initiated the code request, receives the OAuth tokens. This grants the attacker access to the victim’s Microsoft 365 account without ever handling the password directly and entirely bypassing MFA prompts.

Immediate Risk

The immediate risk is HIGH for organizations relying solely on MFA as a primary defense for Microsoft 365 identities. Compromised administrator accounts can lead to business email compromise (BEC), data exfiltration, and lateral movement within cloud environments. While no specific vulnerability or CVE-XXXX-XXXX is being exploited-the abuse lies in the manipulation of a legitimate feature-the operational impact is severe. All organizations using Microsoft Entra ID (Azure AD) are potentially susceptible to this social engineering technique.

Security Insight

Security teams must augment MFA with conditional access policies and user training focused on this specific lure. Key actions include: configuring conditional access to restrict device code flow usage, requiring compliant or hybrid joined devices for authentication, and blocking legacy authentication protocols. Furthermore, monitoring for suspicious OAuth application consent grants and conducting regular audits of enterprise applications in Entra ID is critical. While patching known vulnerabilities like Microsoft Bing Images Command Injection (CVE-2026-32194) remains essential, this campaign highlights that the human element and identity system configuration are often the primary attack surface.