A device code phishing campaign is actively targeting Microsoft 365 accounts across more than 340 organisations in five countries, including Australia. The campaign, first spotted on 19 February 2026 and accelerating since, abuses OAuth device code authentication flows to hijack enterprise accounts, as reported by The Hacker News. The attackers use Cloudflare Workers redirects and sophisticated anti-analysis techniques to avoid detection.

For hospitality businesses, this one deserves your attention. Device code phishing is particularly nasty because it doesn’t need to steal your password directly — it tricks users into authorising a device that the attacker controls, granting persistent access to the account. If your venue uses shared terminals, reservation kiosks, or has staff logging into M365 on multiple devices, the attack surface is wider than you’d think. The targeted sectors explicitly include real estate, financial services, non-profits, and healthcare — but any M365 tenant with users who click links in emails is a potential target.

The practical step here is straightforward: talk to your IT provider about restricting device code authentication flows in your M365 tenant. Microsoft lets admins disable device code flow entirely via Conditional Access policies. If your staff don’t need to sign in on devices without browsers (like smart TVs or IoT gear), there’s no reason to leave this door open. Also worth checking: are your Conditional Access policies blocking sign-ins from unmanaged devices and unusual locations?

All IT Services works with hospitality groups across Australia to harden M365 environments against exactly these kinds of evolving phishing tactics.