Hackers Hijack Microsoft Entra Accounts via Device Code Phishing - WinBuzzer

Hackers Hijack Microsoft Entra Accounts via Device Code Phishing Russia-linked hackers have hijacked Microsoft Entra accounts by abusing OAuth 2.0 device code flow to bypass MFA, with Storm-2372 leading active campaigns. By Markus Kasanmascheff February 20, 2026 3:52 pm CET TL;DR Active Campaign: Russia-linked threat actors, including Storm-2372, are hijacking Microsoft Entra enterprise accounts by abusing the legitimate OAuth 2.0 device authorization flow to bypass MFA. Attack Method: Attackers trick victims into entering attacker-generated device codes on Microsoft’s real login portal, capturing access and refresh tokens that persist even after password resets. Widening Threat: Open-source phishing toolkits such as SquarePhish2 and Graphish have lowered the technical barrier, enabling even low-skilled actors to conduct these campaigns at scale. Defense: Microsoft and Volexity recommend blocking device code authentication via Conditional Access policies, and organizations with no legitimate need can disable the flow entirely through PowerShell. Hackers are hijacking Microsoft enterprise accounts by abusing a legitimate device-code authentication feature, tricking victims into entering attacker-generated codes on Microsoft’s own login portal. This technique exploits the OAuth 2.0 device authorization flow, designed for devices like smart TVs and gaming consoles, to bypass traditional phishing defenses. Victims receive phishing emails that falsely present device codes as one-time passwords. Once entered, attackers gain full access to Microsoft 365 accounts, enabling persistent credential theft across enterprise environments. According to Microsoft Threat Intelligence, the Russia-linked Storm-2372 threat actor has been conducting these campaigns. How the Attack Works Device-code phishing campaigns exploit Microsoft Entra ID’s legitimate authentication workflow for limited-input devices. Attackers initiate an OAuth device authorization request, generating a unique device code and user code pair. They craft phishing emails using sender lure infrastructure including spoofed Google domains and fake SharePoint subdomains. Victims receive Cloudflare Worker links mimicking OneDrive pages with instructions to enter the provided code. When victims enter the code at Microsoft’s device code login URL, the service generates an access token that can be recovered by the actors to take control of the victim account. Proofpoint researchers explained that once the code is entered, the original token is validated, giving attackers access to the targeted M365 account. Attackers then capture both authentication-access and refresh tokens, enabling persistent account control. According to Microsoft Threat Intelligence, attackers use the tokens to gain access to email, cloud storage, and other services without needing passwords. Captured refresh tokens can remain valid even after victims change their passwords, maintaining attacker access indefinitely. Campaigns target government and defense sectors across Europe, North America, Africa, and the Middle East. The attack maps to T1566.004, T1528, and T1550.001 in the MITRE ATT&CK framework. Why Traditional Defenses Fail Device-code phishing evades conventional email security because messages can omit malicious links and attachments entirely. Attackers provide a simple alphanumeric code and direct victims to Microsoft’s legitimate portal. Security researchers highlighted the fundamental challenge: “TRADITIONAL PHISHING AWARENESS OFTEN EMPHASIZES CHECKING URLS FOR LEGITIMACY. THIS APPROACH DOES NOT EFFECTIVELY ADDRESS DEVICE CODE PHISHING, WHERE USERS ARE PROMPTED TO ENTER A DEVICE CODE ON THE TRUSTED MICROSOFT PORTAL.” Proofpoint URL-checking defenses fail because the authentication portal is genuinely operated by Microsoft. Email filters scanning for suspicious links cannot flag messages containing only text instructions and alphanumeric codes. Threat Actor Attribution Beyond the technical mechanics, understanding who conducts these attacks reveals their strategic significance. Multiple Russia-aligned threat actors have adopted device-code phishing since at least August 2024, according to security researchers. The campaign active since August 2024 represents a major operational pivot for state-aligned actors, with Russia-aligned clusters as the primary adopters. Proofpoint tracks a suspected Russia-aligned actor as UNK_AcademicFlare, which has continued activity since September 2025. The group uses compromised government and military email accounts to establish trust with targets across government, think tanks, higher education, and transportation sectors in the U.S. and Europe. Compromised accounts enable attackers to conduct benign outreach and rapport-building tied to targets’ areas of expertise, ultimately arranging fictitious meetings or interviews that deliver the phishing payload. Beginning in October 2025, the TA2723 threat actor used salary and benefits lures in device code phishing campaigns. Proofpoint has tracked state-aligned actors abusing OAuth device code authorization since January 2025, with campaigns surging since September 2025. The rapid adoption across multiple threat groups signals an operational shift in state-sponsored espionage. While defenders invested billions in MFA infrastructure and email security, adversaries needed only to redirect users to Microsoft’s legitimate authentication portal with a simple code. This economic asymmetry explains why independent threat actors adopted the technique simultaneously. Advanced Escalation Tactics Some operators have pushed the technique beyond basic account compromise. Storm-2372 has evolved the attack by exploiting the Microsoft Authentication Broker client ID to obtain refresh tokens capable of registering actor-controlled devices directly in Entra ID. This escalation enables attackers to obtain a Primary Refresh Token (PRT), granting deep access to organizational resources. With a PRT, attackers bypass standard authentication checks and establish persistence that survives password resets and security audits. Microsoft Threat Intelligence documented how Storm-2372 captures authentication-access and refresh tokens generated during the device-code flow. The tokens provide cross-service access, enabling lateral movement across Microsoft 365 services including email, SharePoint, OneDrive, and Teams without requiring additional authentication. Attackers can maintain persistent access for weeks or months, exfiltrating sensitive data, monitoring communications, and establishing backdoors for future operations. Organizations implementing zero-trust frameworks face residual risk from authentication-layer compromises that inherit permissions across federated services. Security monitoring tools often fail to detect these intrusions despite validation efforts, meaning a single successful phishing attempt can translate into months of undetected access that survives standard remediation. Campaign Infrastructure Accessible tooling has also lowered the barrier for conducting these attacks. Proofpoint identified two publicly available frameworks used in the October 2025 wave: SquarePhish2 and Graphish. Both have made device-code phishing available to a wider range of operators: “SIMILAR TO SQUAREPHISH, THE [GRAPHISH] TOOL IS DESIGNED TO BE USER-FRIENDLY AND DOES NOT REQUIRE ADVANCED TECHNICAL EXPERTISE, LOWERING THE BARRIER FOR ENTRY AND ENABLING EVEN LOW-SKILLED THREAT ACTORS TO CONDUCT SOPHISTICATED PHISHING CAMPAIGNS.” Proofpoint The open-source tools automate the OAuth device-code request process, template generation, and token harvesting. Attackers can deploy complete phishing infrastructure in hours rather than weeks, substantially lowering operational costs and technical barriers. Prior Coverage and Evolving Threats The campaign builds on a year-long pattern of OAuth exploitation. As WinBuzzer previously reported in December 2025, attackers have been weaponizing the legitimate device code flow to bypass MFA protections in Microsoft 365 environments. Device-code phishing represents the latest evolution in OAuth abuse campaigns that have targeted enterprise cloud platforms throughout 2025. Earlier Salesforce-focused campaigns began in June 2025 and affected hundreds of organizations including Google, Qantas, Cloudflare, Zscaler, and Tenable. This method has proved far more effective than years of traditional social-engineering and spear-phishing attacks by the same threat actors. Despite improved email security, MFA adoption, and user awareness training, attackers continue adapting by targeting authentication mechanisms designed to improve user experience. Defense Strategies and Mitigation Organizations can defend against device-code phishing through several Microsoft Entra ID configuration changes. Security firms recommend Conditional Access policies that block device code flow or allow-list only approved users and IP ranges. Volexity recommends prohibiting device code authentication through conditional access as the primary effective defense. Microsoft recommends blocking device code flow wherever possible, with Conditional Access policies to enforce this restriction. Security teams should immediately audit Azure AD sign-in logs for anomalous device code authentication events, looking for geographically inconsistent access patterns, unusual device registrations, or authentication requests from unfamiliar applications. Organizations with no legitimate need for device-code authentication can disable the flow entirely using the PowerShell command Update-MgPolicyAuthorizationPolicy -AllowedToUseDeviceCodeFlow $false. Home users are generally low-risk, as personal Microsoft accounts typically do not use enterprise device code workflows. Consumer accounts lack the organizational context and permissions that make enterprise accounts valuable targets. The campaigns specifically focus on organizations with valuable intellectual property, government access, or infrastructure control. Organizations requiring device-code authentication for legitimate use cases should implement strict Conditional Access policies limiting the feature to specific applications, devices, and network locations. Multi-layered defenses including regular token audits, anomaly detection on authentication patterns, and user education about device-code phishing tactics can reduce exposure while maintaining operational flexibility. Device-code phishing campaigns demonstrate how threat actors increasingly exploit legitimate platform features rather than technical vulnerabilities. Attackers weaponize authentication mechanisms designed to improve user experience, even as organizations implement stronger phishing defenses and widespread MFA adoption. Persistence enabled by Primary Refresh Tokens creates an asymmetric challenge: a single successful phishing attempt can grant months of undetected access. Future defenses will require behavioral analysis, anomaly detection, and policy enforcement at the authentication token level. Organizations cannot rely solely on users to distinguish legitimate requests from sophisticated social engineering. Tags Authentication Business Cloud Cloud-Security Conditional Access Conditional Access Policies Cyberattacks Cybercrime Cyberespionage Cybersecurity Device Code Phishing Enterprise Finance Graphish Hackers Microsoft Microsoft 365 Microsoft Entra Microsoft Entra ID Microsoft OneDrive Microsoft Security Microsoft SharePoint Microsoft Teams Multi-Factor Authentication (MFA) OAuth Phishing Phishing Attacks PowerShell Regulation Russia Security Software SquarePhish2 Storm-2372 Threat Actor Attribution Threat Actors Threat Intelligence Markus Kasanmascheff Markus has been covering the tech industry for more than 15 years. He is holding a Master´s degree in International Economics and is the founder and managing editor of Winbuzzer.com. Recent News Congresswoman Anna Paulina Luna Denies Using AI For Defense Bill Amendmend June 29, 2026 5:54 pm CEST Google Limits Meta’s Access to Gemini AI Models June 29, 2026 5:26 pm CEST GLM-5.2 Tops Claude Code in Semgrep IDOR Benchmark June 29, 2026 5:14 pm CEST Subscribe {} [+]