Device Code Phishing Hits 340+ Microsoft 365 Orgs Globally

Global Phishing Campaign Targets 340+ Microsoft 365 Organizations

Recent findings from cybersecurity firm Huntress have revealed a sophisticated phishing operation that is currently sweeping through the global business community. Since it was first detected on February 19, 2026, the campaign has successfully compromised more than 340 Microsoft 365 organizations. This is not a random or generic attack; it is a calculated effort targeting high-value identities in specific regions across the globe.

The geographic focus of this campaign is particularly concerning for local business owners and IT managers here in Australia. The attackers have concentrated their efforts on identities within Australia, the United States, Canada, New Zealand, and Germany. For Australian organizations, this highlights an urgent need to review current cybersecurity protocols to ensure they are equipped to handle modern, token-based threats.

The Rapid Acceleration of Compromises

Since the initial detection in February, the volume of cases has grown at what researchers describe as an "accelerated pace." What began as a series of isolated incidents has quickly matured into a widespread threat that shows no signs of slowing down. Huntress reports that the campaign is expanding rapidly, moving through international markets by exploiting the trusted relationships inherent in cloud environments.

The speed of this expansion is largely due to the efficiency of the attackers' backend infrastructure. Unlike traditional phishing that often relies on poorly constructed websites or suspicious domains, this campaign uses a "credential harvesting engine" built on professional-grade tools. By leveraging these platforms, the threat actors can maintain a high degree of uptime and evade many traditional security filters that might otherwise flag malicious activity.

The scale of the attack is unprecedented for this specific technique, hitting over 340 organizations in just a matter of weeks. This rapid growth suggests that the attackers have automated much of their workflow, allowing them to target hundreds of Microsoft 365 tenants simultaneously. As the campaign continues to evolve, the number of affected organizations is expected to rise across all five targeted countries.

Exploiting Trusted Cloud Infrastructure

One of the most dangerous aspects of this campaign is how it exploits legitimate, high-reputation cloud infrastructure to carry out its goals. The attackers are not just using compromised servers; they are actively leveraging Cloudflare Workers and a Platform-as-a-Service (PaaS) offering called Railway. By using these services, the attackers can redirect captured sessions and host their malicious tools on platforms that are generally trusted by enterprise security systems.

This approach makes the phishing attempts much harder to detect for the average user or standard email filter. When a request or redirect comes through a trusted service like Cloudflare, it lacks the typical red flags associated with credential theft. Huntress notes that the campaign "exploits trusted cloud infrastructure" to facilitate the OAuth device authorization flow, which is a standard part of many modern login processes.

The technique is described as "insidious" because it leverages legitimate Microsoft infrastructure to perform the device code authentication flow. Because the process uses official Microsoft URLs and familiar interfaces, users often have "no reason to suspect anything could be amiss" during the interaction. This high level of trust in the underlying infrastructure is exactly what the attackers are counting on to successfully harvest credentials and bypass traditional security measures.

This reliance on trusted systems allows the attackers to hide in plain sight while they gain a foothold in corporate environments. By turning legitimate business tools against their victims, the campaign creates a significant challenge for even the most vigilant IT teams. To understand the gravity of this threat, one must look closely at the specific mechanics the attackers use to subvert these standard login processes.

How Attackers Abuse Legitimate Microsoft Infrastructure

The core of this campaign is the clever manipulation of the OAuth device authorization flow. This protocol is a standard feature designed to help users sign in to their accounts on devices that lack a traditional keyboard, such as smart TVs, printers, or specialized IoT hardware. By repurposing this legitimate convenience, attackers have found a way to bypass standard security filters that usually look for suspicious login pages or fake domains. This method allows threat actors to insert themselves into the authentication process of high-value cloud solutions without raising immediate alarms.

To initiate the attack, the threat actor sends a request directly to the official Microsoft device code login API. This is often done via a cURL request, which asks Microsoft to generate a unique, time-limited device code. Because this code is generated by Microsoft’s own infrastructure, it carries an inherent level of trust. The attacker does not need to host a fake login page; instead, they rely on Microsoft’s own systems to provide the authentic elements of the phishing attempt.

The Deceptive Authentication Flow

Once the attacker has the device code, they trick the victim into visiting the official Microsoft device login URL. The victim is prompted to enter the code provided by the attacker to verify their device or session. Because the URL is legitimate and the interface is familiar, users often follow the instructions without hesitation. As Huntress explains, "The technique is insidious, not least because it leverages legitimate Microsoft infrastructure to perform the device code authentication flow, thereby giving users no reason to suspect anything could be amiss."

When the victim enters the code and completes the multi-factor authentication (MFA) process, they are effectively granting permission for a new session. From the user's perspective, they have simply authorized a login on a Microsoft-owned site. However, in the background, this action validates the specific device code that the attacker generated moments earlier. The user has unknowingly opened the door for the attacker to step into their corporate environment using their own verified identity.

Retrieving the Keys to the Kingdom

The final step of the abuse involves the attacker claiming the rewards of the user's successful authentication. Once the victim has authenticated the code, a set of tokens is generated and stored at the OAuth token API endpoint. The attacker, who holds the original device code used to start the request, can now poll this endpoint to retrieve the tokens. These tokens are the digital equivalent of a master key, providing direct access to the victim’s Microsoft 365 data and applications.

What makes this technique particularly dangerous is the nature of the tokens themselves. Unlike a password, which can be changed to lock out an intruder, these OAuth tokens provide persistent access. They are designed to keep a user logged in across different sessions and devices to improve the user experience. By hijacking this process, attackers ensure they can remain inside the network long after the initial phishing event has occurred.

This method of credential harvesting is far more resilient than traditional phishing because it circumvents many common cybersecurity defenses that focus solely on password protection. The technical sophistication of this campaign lies in how it turns the platform's own features against its users. By using the official API and trusted Microsoft URLs, the attackers minimize the "noise" typically associated with a breach. This strategic abuse of legitimate infrastructure creates a significant blind spot for IT managers who are not specifically monitoring for unusual OAuth authorization grants.

Understanding how these tokens move through the attacker's infrastructure is the next step in uncovering the full scale of this operation.

The Anatomy of the Credential Harvesting Engine

To understand the danger of this campaign, we must look at the sophisticated technical "engine" the attackers have built to automate the theft of identities. This is not a simple landing page designed to trick a user into typing a password. Instead, it is a distributed system that integrates legitimate developer tools and trusted cloud infrastructure to bypass traditional security filters.

The attackers have carefully selected high-reputation services to host their malicious workflow, making it incredibly difficult for standard cybersecurity tools to flag the activity. By leveraging professional-grade platforms, the threat actors can maintain a persistent presence while remaining hidden from view. This technical maturity is what has allowed the campaign to scale so rapidly across 340 organizations.

The Initial Trigger: The cURL Request

The entire attack sequence begins before the victim even receives a phishing lure. The threat actor initiates the process by sending a manual cURL request directly to Microsoft’s legitimate device code login API. This request is designed to mimic a device trying to register for access to the corporate environment.

By making this initial request, the attacker generates a unique device code that is stored by Microsoft’s authentication service. Huntress explains the significance of this step: "The attacker, of course, knows the device code because it was generated by the initial cURL request to the device code login API." This means the attacker holds the "lock" and is simply waiting for the victim to provide the "key."

Once the code is generated, the attacker sends it to the victim via a phishing email, often disguised as a standard Microsoft 365 login prompt. Because the code is authentic and generated by a real Microsoft service, there are no immediate red flags for the user. The victim is directed to a legitimate Microsoft URL to enter the code and authorize the "new device."

Using Cloudflare Workers for Seamless Redirection

Once a victim interacts with the phish, the campaign utilizes Cloudflare Workers to manage the flow of data. Cloudflare Workers are lightweight scripts that run on a global network, typically used by developers to optimize web traffic. In this context, the attackers use them to capture session data and redirect the victim to the next stage of the exploit.

This use of Cloudflare provides the attackers with a massive advantage in terms of evasion. Because Cloudflare is a trusted global service, many security systems do not block or scrutinize traffic coming through its workers. This allows the attackers to redirect captured sessions to their own malicious infrastructure without triggering the reputation-based alerts that usually stop phishing links.

The Cloudflare layer acts as a middleman, ensuring that the connection between the victim and the attacker remains stable and difficult to trace. It provides the "engine" with a professional front-end that looks and behaves like a standard corporate web service. This level of technical camouflage is why many Australian IT managers are finding these attacks so difficult to detect manually.

Railway: Hosting the Harvesting Infrastructure

The final and most critical component of this engine is the hosting environment. The campaign leverages a Platform-as-a-Service (PaaS) offering called Railway to host its credential harvesting tools. Railway is a popular platform for developers to deploy applications quickly, providing the attackers with a stable, scalable, and high-uptime environment for their malicious scripts.

By hosting their tools on a legitimate PaaS, the attackers effectively turn the platform into a "credential harvesting engine." This setup allows them to process stolen data in real-time and retrieve persistent tokens as soon as a victim authenticates. Using a PaaS means the attackers do not have to manage their own servers, which would be easier for law enforcement or security firms to shut down.

When the victim completes the authentication process, the resulting tokens are generated at the OAuth token API endpoint. Because the attacker already knows the original device code used in the cURL request, they can immediately retrieve these tokens from the engine. This seamless integration of legitimate cloud solutions and malicious intent makes the campaign exceptionally resilient to traditional defense strategies.

The result of this sophisticated machinery is a set of stolen access tokens that provide the attacker with ongoing, persistent access to the victim's account. This leads to a significant security challenge, as the standard response to a compromise often fails to address the unique way these tokens function within the Microsoft ecosystem.

Why Password Resets Fail to Stop OAuth Token Abuse

For decades, the standard response to a security breach has been to reset the victim's password immediately. In most traditional phishing scenarios, this simple action is enough to revoke an attacker's access and secure the account. However, the current campaign targeting Microsoft 365 organizations demonstrates why this legacy strategy is no longer a guaranteed fix. Because this attack exploits the OAuth device authorization flow, the security threat persists long after a password has been changed.

When a user is tricked into authenticating a device code, the process generates a specific set of credentials known as access and refresh tokens. According to Huntress, these resulting tokens "live at the OAuth token API endpoint" where they await retrieval by the party who initiated the request. The attacker, having started the process via a cURL command, already possesses the specific device code needed to claim these tokens from the API. Once the victim completes the authentication on a legitimate Microsoft page, the tokens are effectively handed over to the threat actor.

The Persistence of Stolen Tokens

The most dangerous characteristic of these stolen tokens is their longevity and independence from the user's password. Unlike a standard web session that might expire or be tied directly to a password hash, these OAuth tokens remain valid even after the account's password is reset. This means that an IT manager could follow every traditional cleanup step, yet the attacker would still hold a functional key to the environment. The stolen tokens provide a persistent gateway that bypasses the primary layer of defense most businesses rely on.

This persistence allows attackers to maintain control and seize victim accounts indefinitely without any further interaction from the user. Once the initial "hook" is set and the tokens are retrieved, the attacker does not need to send another phishing email or trick the user a second time. They can move laterally through the organization's cloud solutions at their own pace while remaining undetected. This "set and forget" capability makes the campaign particularly difficult to manage with standard incident response protocols.

Indefinite Account Seizure

Because the attacker knows the device code used in the original request, the authenticated tokens belong to them as soon as the victim clicks "sign in." Huntress researchers point out that while the code itself is "useless by itself," its value becomes absolute the moment a user validates it. This creates a scenario where the victim unknowingly authorizes a permanent backdoor into their corporate environment. This level of access is what allows sophisticated threat groups to maintain such a high success rate across hundreds of organizations globally.

Australian businesses must recognize that modern cybersecurity requires more than just rotating credentials. If your incident response plan only focuses on password resets, it likely leaves the most critical vulnerabilities wide open to token-based exploitation. Understanding the technical mechanics of how these tokens are generated is the first step in building a more resilient defense against session-based attacks. This specific method of harvesting credentials has been refined over several years by some of the world's most persistent threat actors.

Tracing the Origin: From 2025 Origins to State-Aligned Groups

While the current surge in device code phishing is causing significant disruption in 2026, the blueprint for these attacks was established over a year ago. Cybersecurity giants Microsoft and Volexity first documented this specific technique in February 2025. This early research provided the initial evidence of how attackers could manipulate standard authentication flows to bypass Multi-Factor Authentication (MFA) and other common security barriers. By the time the current campaign accelerated, the methodology had already been tested and refined in smaller, targeted environments.

Following the initial discoveries by Microsoft and Volexity, the global security community began seeing subsequent waves of activity. Organizations like Amazon Threat Intelligence and Proofpoint played a critical role in documenting how these tactics evolved throughout the latter half of 2025. Their collaborative reporting revealed that the campaign wasn't just a series of isolated incidents, but a repeatable, successful strategy for sophisticated threat actors. This historical context is vital for understanding that these are not amateur operations, but calculated maneuvers by experienced groups.

Attribution to State-Aligned Threat Actors

The sophistication of these campaigns is largely explained by the entities behind them. Security researchers have linked multiple Russia-aligned threat groups to these ongoing device code phishing operations. Among the most notable is APT29, a group frequently associated with high-level espionage and advanced persistent threats on a global scale. The presence of such advanced actors suggests that these attacks are often motivated by long-term strategic goals rather than simple financial gain, making them a high priority for corporate cybersecurity teams.

Beyond APT29, several other sophisticated clusters have been identified as key players in this specific campaign. These include:

• Storm-2372: A group known for leveraging complex credential harvesting techniques within Microsoft 365 environments.
• UNK_AcademicFlare: An emerging cluster tracked for its specific focus on exploiting OAuth and device authorization vulnerabilities.
• UTA0304 and UTA0307: Targeted threat groups that specialize in the abuse of legitimate cloud infrastructure to mask their malicious activity.

The Strategic Shift in Phishing Tactics

The involvement of these state-aligned groups highlights a significant shift in how modern cyber threats must be approached. These actors do not rely on traditional malware that might be caught by an antivirus program or an endpoint detection system. Instead, they weaponize the very tools and protocols that businesses use to facilitate remote work and cloud collaboration. By focusing on identity and token-based access rather than software vulnerabilities, they can maintain a lower profile while achieving much higher success rates across international borders.

Tracking these groups allows the industry to understand the full "lifecycle" of a threat, from its experimental phases to its current industrial-scale automation. The transition from the first documented cases in early 2025 to the widespread automation we see today demonstrates a high level of operational maturity. These groups share tactics and infrastructure, refining their methods to ensure that their stolen tokens remain a gateway into corporate networks. Many Australian organizations are now turning to specialized managed IT services to provide the continuous monitoring required to spot these subtle signs of token abuse.

Understanding the origins of these attacks and the powerful entities driving them is the first step in building a resilient defense against future iterations of this campaign. As these groups continue to refine their credential harvesting engines, businesses must shift their focus toward the long-term security of their cloud-based identities.

Securing Australian Businesses Against Modern Phishing Tactics

The rise of device code phishing represents a significant shift in the cyber threat landscape for Australian organizations. Unlike traditional phishing, which often relies on spoofed domains that look "close enough" to the original, this campaign uses legitimate infrastructure. This makes it incredibly difficult for even the most tech-savvy employees to spot a fraudulent request during their workday.

The High Cost of Implicit Trust

The most dangerous aspect of this campaign is how it exploits the trust users place in official platforms. Because the process leverages the actual Microsoft device authorization flow, users are directed to official Microsoft URLs to enter their codes. As researchers at Huntress pointed out, the technique is insidious because it gives users "no reason to suspect anything could be amiss" while they are interacting with the system.

For an employee in a busy Australian office, seeing a familiar Microsoft login prompt is a routine occurrence. They are trained to check the URL bar for security certificates and correct domain names, both of which appear perfectly valid in this scenario. This high-fidelity deception is why so many organizations have already fallen victim to these persistent attackers.

Moving Beyond the Password Reset

One of the hardest lessons for IT managers to learn from this campaign is that traditional reactive measures are no longer sufficient. Historically, if an account was suspected of being compromised, the first step was a mandatory password reset. However, in these OAuth-based attacks, the stolen access tokens remain valid even after a password change has been implemented.

Once a victim authenticates the device code, the resulting tokens live at the OAuth token API endpoint where the attacker can retrieve them. This persistence allows threat actors to maintain control over a corporate account indefinitely without needing to interact with the user again. Businesses must realize that securing an identity now requires a focus on session management and token lifecycle rather than just credential strength.

Proactive Monitoring for IT Managers

To defend against these accelerating threats, IT departments must shift their focus toward monitoring OAuth token grants within their Microsoft 365 environments. It is no longer enough to simply block "bad" emails; managers must stay vigilant for unusual application permissions and suspicious device registrations. Implementing a robust cybersecurity strategy that includes real-time alerting for these activities is now a necessity for local firms.

Working with an experienced provider of managed IT services can help Australian businesses implement the necessary oversight to catch these attacks early. By auditing existing OAuth permissions and setting strict policies on which applications can request tokens, organizations can significantly reduce their attack surface. This level of vigilance is critical as the campaign continues to accelerate across the globe and hit more targets locally.

Building a Resilient Defense

As these Russia-aligned groups continue to refine their credential harvesting engines, the margin for error for Australian businesses is shrinking. Security teams should prioritize user education that specifically addresses the risks of device code requests, even when they appear to come from trusted sources. Combining this human-centric approach with technical safeguards like conditional access policies ensures a multi-layered defense.

Staying ahead of these sophisticated tactics requires a commitment to continuous monitoring and rapid response. By understanding the underlying mechanics of token abuse, IT leaders can move from being reactive to being truly resilient against modern phishing. Ensuring that your identity infrastructure is configured to flag and investigate every new OAuth grant is the best way to protect your organization's sensitive data and maintain operational continuity.

Sources

• https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html
• https://www.reddit.com/r/pwnhub/comments/1s3ejah/device_code_phishing_impacting_340_microsoft_365/
• https://www.infosecurity-magazine.com/news/oauth-phishing-campaigns/
• https://www.paubox.com/blog/phishing-campaigns-abuse-oauth-device-codes-to-access-microsoft-accounts
• https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover
• https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks/