The tactic represents an evolution of techniques that financially motivated groups used earlier this year to breach Salesforce environments at Google, Qantas, and luxury brands through similar OAuth abuse, affecting hundreds of organizations. Those Salesforce attacks, which began in June 2025, used voice phishing. The current wave drops the phone calls for email-based social engineering, making attacks easier to scale.
A legitimate process turned malicious
The attacks abuse OAuth’s device authorization flow, which was designed for authenticating on input-constrained devices like smart TVs and IoT devices. Threat actors, according to the blog post, initiate the legitimate Microsoft device authorization process, then trick victims into entering the generated device code — disguised as a one-time password — at Microsoft’s own verification URL.
“The lures typically claim that the device code is an OTP and direct the user to input the code at Microsoft’s verification URL,” the researchers wrote. “Once the user inputs the code, the original token is validated, giving the threat actor access to the targeted M365 account.”
