Malware And CampaignsCampaign

Device-code phishing OAuth abuse impacting 340+ Microsoft 365 orgs

March 25, 2026The Hacker News, Steven Lim, Nicolas Krassas

The Hacker News and Steven Lim describe a large-scale device-code phishing campaign abusing OAuth device code flows to obtain tokens that remain usable even after password resets.

Open in PulseSee the full expert discussion →

QUOTES

🛑 A device code phishing campaign is hitting 340+ Microsoft 365 orgs using OAuth abuse.

Victims enter codes on real Microsoft pages, generating access and refresh tokens attackers reuse—even after password resets.

A large-scale phishing campaign has impacted more than 340 Microsoft 365 organizations across the U.S., Canada, Australia, New Zealand, and Germany.

The attackers are exploiting device code authentication flows to steal

A device code phishing campaign is hitting 340+ Microsoft 365 orgs using OAuth abuse.

A large-scale phishing campaign has impacted more than 340 Microsoft 365 organizations

VOICES

The Hacker News

Steven Lim

Nicolas Krassas

The Cyber Security Hub™

RELATED TERMS

phishing campaignauth bypassincident responsemicrosoftincident responsephishing campaignauth bypass

OTHER FINDINGS IN MALWARE AND CAMPAIGNS

Handala Hack Telegram threat claiming imminent Lockheed Martin data leak Telnyx PyPI compromise (TeamPCP) shipping malware in telnyx 4.87.1/4.87.2 Coruna iOS exploit framework reusing Operation Triangulation code

AMYGDALA PULSE

See what experts are saying right now

This finding is one of many signals tracked across Cyber Security. The live feed updates every few hours with new expert voices, debates, and emerging ideas.

Open Cyber Security Pulse Browse all topics

← Back to Cyber Security