Access granted: phishing with device code authorization for account takeover
Essential information
- Published
- 18/12/2025 13:28
- Modified
- 21/12/2025 19:39
- Tags
- 2025-12-18 account takeover phishing squarephish2
- Related entities
- 8 observables, 1 intrusion sets (apt), 11 techniques (mitre), 29 others
Description
Multiple threat clusters, including state-aligned and financially-motivated actors, are utilizing phishing tools to trick users into granting access to Microsoft 365 accounts via OAuth device code authorization. This technique leads to account takeovers, data exfiltration, and further compromises. Threat actors are leveraging the OAuth 2.0 device authorization grant flow to gain unauthorized access by approving various applications. Campaigns often begin with an initial message containing a URL, which initiates an attack sequence using Microsoft's legitimate device authorization process. Tools like SquarePhish2 and Graphish are being used to facilitate these attacks. Both cybercriminal groups and state-aligned actors have adopted this technique, with Russia-aligned threat actors being particularly active.