Device Code Phishing Bypasses MFA to Hijack Microsoft 365 Accounts

A phishing campaign exploiting OAuth device code authentication has compromised more than 340 Microsoft 365 organisations across five countries, including Australia. Microsoft’s security team detailed the campaign on 6 April, warning that attackers are using AI to scale the operation.

The attack works by tricking users into entering a legitimate device code on Microsoft’s real sign-in page. Because the authentication happens on genuine Microsoft infrastructure — including multi-factor authentication — victims have no visual cue that anything is wrong. Once the code is entered, the attacker receives valid access and refresh tokens, giving them persistent access to the victim’s mailbox, OneDrive, and Teams. Even a password reset won’t revoke the tokens.

Targeted sectors include financial services, non-profits, healthcare, legal, and government. The technique has been commoditised through a phishing-as-a-service platform, lowering the barrier for less skilled attackers. Australia and New Zealand are among the five countries explicitly targeted.

What to do right now

Check whether your organisation uses device code flow for any legitimate purpose. If not, block it entirely via Microsoft Entra ID Conditional Access policies. If you do use it, restrict it to known devices and monitor Entra sign-in logs for anomalous device code authentications. Revoke any suspicious sessions immediately.

If your business runs Microsoft 365 and you’re unsure whether device code flow is enabled, get in touch with our team — we can audit your Entra ID configuration and lock this down.