New phishing campaign tricks employees into bypassing Microsoft 365 MFA
Attackers trick employees into registering a hacker-controlled device via OAuth device authorization, granting persistent access to Microsoft accounts and bypassing MFA.
Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers
UNK_AcademicFlare used device-code phishing to steal Microsoft 365 credentials and conduct account takeovers targeting government, think tanks, higher education, and transportation since September 2025.
Russia-linked APT29 ran a watering hole campaign redirecting visitors to attacker-controlled domains to trick users into authorizing devices via Microsoft's device code authentication flow.