Cybercriminals are using a clever new trick to break into Microsoft 365 accounts by abusing OAuth device codes—a legitimate Microsoft feature meant for smart TVs and similar devices. The scam works by sending phishing emails with fake document links that generate real device codes. Victims then enter these codes on Microsoft's actual login page at microsoft.com/devicelogin, unknowingly handing over account access to hackers.
Two main tools are driving these attacks: SquarePhish2 uses QR codes for mass campaigns, while Graphish creates fake login pages that steal both passwords and authentication tokens. By September 2025, these attacks became widespread, targeting everyone from corporate users to government officials.
Since the attack uses Microsoft's real authentication system, it's extremely hard to detect with traditional security tools.
Source: Cybersecurity News