Tools of the trade: What’s driving the surge is the availability of tools that make these attacks easy to execute. Proofpoint identified two primary kits: SquarePhish2 and Graphish.SquarePhish2 is an updated version of a tool originally published by Dell Secureworks in 2022. It automates the OAuth Device Grant Authorization flow and integrates QR code functionality.The Graphish phishing kit, shared on vetted criminal hacking forums, enables the creation of convincing phishing pages leveraging Azure App Registrations and adversary-in-the-middle attack capabilities. “The tool is designed to be user-friendly and does not require advanced technical expertise, lowering the barrier for entry and enabling even low-skilled threat actors to conduct sophisticated phishing campaigns,” the Proofpoint researchers wrote in the blog.These tools help attackers overcome a key limitation: device codes are typically short-lived. The automation enables larger-scale campaigns than were previously possible.
State actors join cybercriminals: Since January 2025, Proofpoint has tracked multiple state-aligned threat actors abusing OAuth device code authorization for account takeover, representing a concerning evolution in espionage tradecraft.”This technique has been most widely used by Russia-aligned threat actors,” the researchers noted, citing prior reporting by security firm Volexity. Proofpoint also observed suspected China-aligned activity and other unattributed espionage campaigns.One group, Proofpoint tracks as UNK_AcademicFlare, has been conducting device code phishing since at least September 2025. The suspected Russia-aligned actor uses compromised email addresses from government and military organizations to target entities in government, think tanks, higher education, and transportation sectors across the US and Europe.UNK_AcademicFlare typically conducts patient rapport building via benign outreach before launching device code phishing attempts. The group uses compromised accounts to arrange fictitious meetings or interviews, then shares malicious links to Cloudflare Worker URLs spoofing OneDrive accounts.Volexity researchers documented similar tactics in recent campaigns where Russian actors created fake websites masquerading as legitimate European security conferences to trick attendees into granting OAuth access.
Widespread campaigns target financial lures: Financially motivated threat actors have also embraced device code phishing. Proofpoint highlighted activity from TA2723, a high-volume credential phishing actor known for campaigns spoofing Microsoft OneDrive, LinkedIn, and DocuSign.Beginning in October 2025, TA2723 launched campaigns using salary and benefits-themed lures. One campaign used email messages purporting to contain documents titled “OCTOBER_SALARY_AMENDED” and “Salary Bonus + Employer Benefits Reports 25.”The messages directed recipients to URLs that ultimately led to device code authorization pages where victims were tricked into generating and entering one-time passcodes. Proofpoint researchers suspect TA2723 used both SquarePhish2 and Graphish tools across different campaign waves.The 2025 ShinyHunters campaign demonstrated the potential damage. In a separate but related OAuth abuse incident, threat actors exploited OAuth tokens stolen from the Salesloft/Drift integration to access Salesforce instances at hundreds of organizations. Companies, including Cloudflare, Zscaler, and Tenable, publicly disclosed unauthorized access to data, triggering breach notification requirements.Proofpoint recommended organizations create Conditional Access policies to block device code flow entirely or implement allow-lists for approved users and IP ranges. “Traditional phishing awareness often emphasizes checking URLs for legitimacy. This approach does not effectively address device code phishing, where users are prompted to enter a device code on the trusted Microsoft portal,” the researchers wrote.Microsoft did not respond to a request for comment on the findings.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4110419/hackers-exploit-microsoft-oauth-device-codes-to-hijack-enterprise-accounts.html
