Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse
Summary
An active device code phishing campaign is targeting over 340 Microsoft 365 organizations across five countries, including the U.S., Canada, Australia, New Zealand, and Germany. This campaign, observed since February 19, 2026, utilizes OAuth abuse to compromise user identities.
IFF Assessment
FOE
The campaign's success in compromising Microsoft 365 identities via OAuth abuse poses a direct threat to organizations and their data.
Defender Context
Defenders should be aware of phishing campaigns that exploit OAuth permissions, as these can grant attackers broad access to cloud services. Monitoring for suspicious OAuth app authorizations and educating users about the risks of granting permissions to untrusted applications are crucial mitigation strategies.