Microsoft 365 Device Code Phishing Hits 340+ Global Organizations

Global Phishing Campaign Targets Australian Microsoft 365 Identities

Australian businesses are currently facing a sophisticated surge in cyberattacks specifically designed to bypass traditional security measures. A major device code phishing campaign has emerged as a critical threat, successfully infiltrating over 340 organizations globally. While the campaign has a wide reach, it is actively targeting identities within Australian and New Zealand Microsoft 365 environments, making it a primary concern for local IT managers.

Security researchers at Huntress first identified this activity on February 19, 2026. Since its initial discovery, the campaign has not slowed down; instead, it is rapidly expanding and showing signs of significant acceleration. This speed is particularly concerning for local business owners who may not have the internal resources to monitor their environments 24/7 for such niche and evolving exploits.

The Danger of "Legitimate" Traffic

What makes this campaign uniquely dangerous is its reliance on legitimate Microsoft infrastructure. Because the authentication flow takes place on official Microsoft domains, users have no immediate reason to suspect foul play. Huntress researchers describe the technique as "insidious" because it leverages the actual device code authentication flow, "thereby giving users no reason to suspect anything could be amiss."

This psychological advantage allows the phish to bypass the typical skepticism users have toward unfamiliar URLs or suspicious-looking login pages. For many employees, seeing a login prompt on a familiar Microsoft page is enough to lower their guard. As these attacks continue to scale, maintaining a high level of cybersecurity awareness across all staff levels becomes a vital defense mechanism.

A Growing Threat to Regional Infrastructure

The impact of this campaign is widespread, with confirmed targets spanning Australia, New Zealand, the United States, Canada, and Germany. For Australian firms, this is not a distant threat; it is a direct assault on the regional business community that requires immediate attention. Security researchers report that the campaign is currently accelerating, indicating that the threat actors are finding success with their current methods.

Many Australian small-to-medium enterprises rely heavily on Microsoft 365 for daily operations, and this campaign exploits that reliance by turning standard features against the user. Because the attack leverages the OAuth device authorization flow, it can grant attackers persistent access that is much harder to detect than traditional credential theft. Relying on a robust managed IT strategy can help organizations identify these anomalies before they escalate into full-scale data breaches.

For IT managers, the acceleration of this campaign means that reactive security measures are no longer sufficient. Heightened awareness is required for all Australian Microsoft 365 users as the campaign continues to scale globally and refine its deceptive tactics. Understanding the specific technical mechanisms used by these attackers is the next step in building a resilient defense against these persistent identity threats.

How Attackers Exploit the OAuth Device Authorization Flow

Device code phishing represents a sophisticated shift in how attackers approach cybersecurity threats within the Microsoft ecosystem. Instead of simply stealing a username and password, this method exploits the OAuth device authorization flow. This flow was originally designed by Microsoft to help users sign in on devices with limited input capabilities, such as smart TVs, printers, or IoT devices. By manipulating this legitimate process, attackers can obtain persistent access tokens that grant long-term entry into a business environment.

The Initial Request and Code Generation

The attack begins behind the scenes with a specific technical trigger initiated by the threat actor. According to security researchers at Huntress, the attacker starts the process by making a cURL request to the Microsoft device code login API. This request generates a unique, short-lived alphanumeric code intended for a secondary device. Because this code is generated directly by Microsoft’s own systems, it is inherently trusted by the platform’s security architecture and does not trigger immediate red flags.

Once the attacker has this unique code, they must convince a victim to authenticate it. This is typically done through deceptive emails or redirects that look like standard IT notifications. The victim is directed to the official Microsoft device pairing page, where they are prompted to enter the code provided by the attacker. Because the victim is interacting with a legitimate Microsoft domain, they often feel a false sense of security during the process.

Token Retrieval via the API Endpoint

The most critical part of this exploit is how the attacker claims the final authorization. Once the victim is tricked into authenticating via the provided code, the resulting tokens belong to anyone who knows that specific device code. According to Huntress, these tokens "live at the OAuth token API endpoint and can be retrieved by providing the correct device code." The attacker, having initiated the flow, already possesses the code and can pull the tokens immediately.

This "waiting" strategy is highly effective because the attacker does not need to intercept the victim's password. Huntress explains that "while that code is useless by itself, once the victim has been tricked into authenticating, the resulting tokens now belong to anyone who knows which device code was used in the original request." This allows the attacker to bypass many traditional security layers that focus strictly on credential harvesting. The attacker simply polls the API until the victim completes the login, at which point the session tokens are delivered directly to the malicious actor.

The Risk of Persistent Authorization

For organizations utilizing cloud solutions, the stakes are incredibly high because these tokens provide more than just a temporary session. These OAuth tokens provide a persistent connection to the user's account, data, and connected applications. The attacker can use these tokens to maintain control over Microsoft 365 identities without needing to log in again. This persistent access is what allows threat actors to move laterally through an organization or exfiltrate sensitive data over an extended period.

Traditional security monitoring often misses these events because the authentication itself is technically valid. The user did, in fact, provide their credentials and MFA to Microsoft. However, the "device" they authorized was actually the attacker's script. Understanding how this authorization is technically hijacked is essential for any IT manager looking to defend against modern identity-based attacks. This exploitation of trusted flows is further enhanced by the specific digital infrastructure the attackers use to hide their tracks.

The Technical Infrastructure Behind Credential Harvesting

The backend infrastructure supporting this campaign is designed for high-volume execution and maximum stealth. Rather than relying on static, suspicious websites, the threat actors have built a dynamic system using modern web technologies to process stolen data. This approach allows them to manage thousands of potential victims across multiple continents simultaneously. By using a layered architecture, they can separate the initial lure from the actual harvesting engine.

Leveraging Cloudflare Workers and Railway PaaS

Cloudflare Workers serve as the primary entry point for managing redirects and capturing initial user sessions. These "serverless" functions allow attackers to run code at the network edge, which significantly reduces the digital footprint of the attack. Because the traffic flows through Cloudflare's trusted IP ranges, it is far less likely to be blocked by standard network security tools. This gives the campaign a layer of "built-in" reputation that aids in bypassing automated defensive filters.

Once a victim engages with the phish, the captured session data is redirected to infrastructure hosted on the Railway platform-as-a-service (PaaS). Railway is designed to help developers deploy applications quickly, but the attackers have turned it into a sophisticated "credential harvesting engine," according to Huntress researchers. This engine is responsible for the heavy lifting, including the automated seizure of Microsoft 365 accounts. Using such a robust PaaS offering ensures that the attackers have the uptime and scalability needed for a global campaign.

The strategic choice of these platforms is primarily about evading detection from traditional security filters. Most cybersecurity products are programmed to flag traffic from domains with no history or known malicious associations. However, because Cloudflare and Railway host thousands of legitimate business applications, security vendors cannot simply block them without causing widespread disruption. This allows the attackers to hide their malicious activity in plain sight among legitimate cloud solutions.

Automating Account Seizure and Filter Evasion

Automation is at the heart of the Railway-based engine, allowing the attackers to scale their efforts with minimal manual intervention. The infrastructure is programmed to interact directly with Microsoft's APIs to finalize the token acquisition as soon as a victim authenticates. This immediate, programmatic response means that the window for manual intervention by an internal IT team is incredibly small. For local organizations, this highlights the importance of having a proactive managed IT strategy that monitors for these specific API interactions.

By utilizing these reputable PaaS and worker platforms, the threat actors effectively outsource their hosting stability and reputation management. They leverage the same enterprise-grade tools that legitimate developers use to ensure their harvesting engine is always available. This shift in tactics shows a high level of maturity in how these campaigns are structured. The focus is no longer just on the initial "lure" but on the resilience and speed of the backend infrastructure used to process stolen data.

The use of such modern infrastructure also makes attribution and takedown efforts much more difficult for security researchers. When malicious code is buried within legitimate cloud services, identifying and isolating the specific "worker" or "container" requires deep forensic analysis. This technical complexity ensures the campaign remains operational even as individual elements of the phish are identified. This architectural resilience is why the stolen access tokens represent such a long-term threat to organizational security.

The Persistence Problem: Why Password Resets Are Ineffective

Most Australian business owners are taught that the first line of defense after a potential breach is an immediate password reset. While this is sound advice for traditional credential theft, it fails to address the unique threat posed by device code phishing. This specific campaign is described by researchers at Huntress as "insidious" because it bypasses the security layer that passwords typically provide.

When a victim completes the authentication process, the system generates a set of OAuth tokens rather than just verifying a password. These tokens do not reside on the user's computer in a way that is easily cleared by changing a login or clearing a cache. Instead, they live at the Microsoft OAuth token API endpoint, remaining fully accessible to the attacker who initiated the initial request.

The Failure of Standard Remediation

In a standard phishing scenario, changing a password locks the attacker out by invalidating their ability to log in again. However, with this specific OAuth abuse, the stolen tokens remain valid even after the account's password is reset. This persistent nature allows threat actors to maintain control over Microsoft 365 identities long after the initial breach occurred.

This technical nuance is a significant hurdle for organizations relying on legacy cybersecurity protocols. If an IT manager assumes a password reset has solved the problem, they may leave an active backdoor open for weeks or months. The attacker continues to have the same level of access as the legitimate user without ever needing to know the new password.

Why OAuth Tokens Create Long-Term Risk

The tokens retrieved by the attacker belong to anyone who knows which device code was used in the original request. Since the attacker generated the code via a cURL request to the device code login API, they hold the permanent "key" to the session. This means the session remains active and "authenticated" in the eyes of Microsoft's servers, regardless of credential changes.

Because these tokens are designed for devices that may not have traditional browsers, they often have different refresh requirements than standard web sessions. This allows the attacker to silently monitor emails, steal sensitive documents, or move laterally within the network. Without a proactive managed IT strategy, these unauthorized sessions can go undetected until significant damage is done.

Vital Insights for IT Managers

For IT managers across Australia and New Zealand, understanding this mechanic is vital for effective incident response. You cannot rely on automated systems to revoke these tokens simply because a user updated their credentials. Every suspected compromise must be treated as a token-level event rather than a simple password-level event.

Effective remediation must involve the explicit revocation of all active refresh tokens and the termination of all existing sessions for the affected user. Failure to do so means the attacker is still "in the room," even if the front door has a new lock. This persistence is what makes these global campaigns so successful at maintaining long-term access to corporate data.

As these campaigns continue to target local organizations, the focus must shift from reactive password changes to comprehensive identity monitoring. Organizations need to be able to identify when a device code flow was initiated and whether it matches a legitimate business need. Establishing a clear protocol for token management is now a non-negotiable part of modern cloud solutions and enterprise security.

Recognizing the persistent nature of these tokens is the first step in building a more resilient defense against modern identity-based attacks. To fully protect the organization, IT teams must also trace the origins of these attacks and understand the specific groups behind them.

Attribution and the Evolution of Device Code Attacks

The current wave of attacks targeting Australian Microsoft 365 environments is not an isolated incident. Instead, it represents the latest stage in a year-long evolution of sophisticated phishing techniques. Security researchers at Microsoft and Volexity first documented the use of device code phishing in February 2025. Since then, the method has been refined to better exploit the trust users place in official authentication portals.

This evolution has allowed threat actors to move from simple credential harvesting to complex OAuth token theft. By understanding how these attacks have changed over the last year, IT managers can better prepare their cybersecurity defenses. The transition from a new experimental tactic to a widespread global campaign shows that attackers are finding consistent success with this approach. As these methods mature, they become more difficult for traditional security filters to catch.

The Actors Behind the Activity

Attribution for these campaigns points toward highly organized and resourceful entities. Multiple Russia-aligned threat groups have been linked to these recurring waves of activity. Specifically, groups tracked as APT29 and Storm-2372 are known to have utilized these techniques to compromise high-value targets. These groups are often associated with state-sponsored interests, meaning their methods are professional, persistent, and well-funded.

In addition to these primary actors, several other distinct groups have been identified in the monitoring of this threat. Threat intelligence teams have highlighted the involvement of UNK_AcademicFlare, UTA0304, and UTA0307. The presence of multiple tracked entities suggests that the "playbook" for device code phishing is being shared or simultaneously developed across different cybercriminal networks. For an Australian business owner, this means the threat isn't just coming from one place, but from a variety of global sources.

Global Intelligence and Monitoring

Major threat intelligence teams around the world have been working to document and disrupt these recurring waves of OAuth abuse. Teams at Amazon and Proofpoint have played a critical role in tracking the infrastructure used by these groups. Their research shows that these attacks occur in waves, often testing new redirect methods or hosting platforms to stay ahead of defenders. This constant monitoring is essential for keeping cloud solutions secure against evolving identity-based threats.

The collaborative effort to document these attacks underscores the severity of the problem. By tracking the technical fingerprints of groups like UTA0304 and Storm-2372, researchers can provide the indicators of compromise (IoCs) that businesses need to protect themselves. Relying on professional managed IT support can help local organizations translate this global intelligence into actionable local security policies. Understanding the players involved helps IT departments anticipate the next move in this ongoing cyber battle.

The data gathered by Proofpoint and Amazon highlights that OAuth abuse is no longer a niche exploit. It has become a mainstream tool for professional threat actors seeking persistent access to corporate data. As these groups continue to scale their operations, they are finding new ways to hide their activity within the noise of everyday business traffic. Spotting these patterns requires a deep understanding of how legitimate services can be twisted for malicious purposes.

Identifying Threats within Legitimate Microsoft Services

The primary challenge in detecting this specific phishing campaign lies in its deceptive appearance. Because the attackers utilize the official OAuth device authorization flow, the entire authentication process occurs on legitimate Microsoft domains. This makes the phish appear completely authentic to the end-user, who sees a familiar login interface and a valid security certificate.

Security researchers at Huntress highlight that this technique is particularly "insidious" because it leverages the actual device code authentication flow. This creates a scenario where there is effectively "no reason to suspect anything could be amiss" for the average employee. Traditional cybersecurity training that focuses on spotting unofficial URLs or suspicious domain names is often ineffective against this method.

Shifting the Defensive Focus to OAuth Monitoring

For Australian IT managers, this campaign demonstrates why basic credential security is no longer a sufficient defense. Since the attackers are targeting persistent tokens rather than just passwords, standard monitoring for failed login attempts will not trigger an alert. Organizations must instead shift their focus toward monitoring for unauthorized OAuth token grants within their environments.

These stolen tokens are extremely valuable to threat actors because they live at the OAuth token API endpoint. Once an attacker initiates the process with a cURL request to the device code login API, they simply wait for the victim to authenticate. Once the user enters the code, the resulting tokens belong to anyone who holds that specific device code, granting the attacker full access to the account.

Because these tokens bypass the need for a password, they allow attackers to maintain control over Microsoft 365 identities for extended periods. This persistence makes it vital for administrators to audit their OAuth permissions regularly. Identifying unusual or unexpected token requests is now a critical part of maintaining secure cloud solutions.

Implementing SSE and Proactive API Monitoring

To combat these evolving threats, the adoption of Security Service Edge (SSE) is becoming an essential defense layer. SSE solutions provide the visibility needed to inspect encrypted traffic and identify suspicious interactions with authentication APIs. This allows security teams to detect the initial stages of a device code phish before a user has the chance to authenticate.

Proactive monitoring of device code login API requests can help identify patterns used by threat actors like Storm-2372 or APT29. By flagging high volumes of device code generation requests from unfamiliar sources, IT teams can intervene before a breach occurs. This technical oversight is necessary to protect organizations from Russia-aligned groups that have been linked to these recurring waves of activity.

Heightened Awareness for the Australian Microsoft 365 Community

As the campaign continues to scale globally, reaching over 340 organizations across five countries, heightened awareness is required for all Australian Microsoft 365 users. The campaign is accelerating, and the deceptive nature of the attack means that even tech-savvy employees can be misled. Security teams should prioritize internal communications that explain exactly how these device code prompts can be weaponized.

Employees should be instructed that any unexpected request to enter a code on a Microsoft login page is a high-risk event. In an environment where attackers use reputable platforms like Cloudflare and Railway to hide their tracks, the human element remains a vital line of defense. Organizations must remain vigilant as threat actors continue to refine these identity-based exploits to bypass traditional security filters.

Building a resilient defense against these persistent identity threats requires a nuanced understanding of how attackers manipulate legitimate infrastructure for malicious ends.

Sources

• https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html
• https://www.reddit.com/r/pwnhub/comments/1s3ejah/device_code_phishing_impacting_340_microsoft_365/
• https://www.infosecurity-magazine.com/news/oauth-phishing-campaigns/
• https://www.paubox.com/blog/phishing-campaigns-abuse-oauth-device-codes-to-access-microsoft-accounts
• https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover
• https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks/