The attacker gains full access using Microsoft's own process turned inside out
Since January 2025, threat actors aligned with Russia and China have been quietly turning Microsoft's own authorization infrastructure against its users, exploiting a legitimate sign-in process designed for convenience into a doorway for espionage. The method — device code phishing — requires no malware, no zero-day vulnerability, only the reliable human tendency to trust what looks official. That multiple nation-states are now deploying this technique at scale suggests not a leap in technical sophistication, but something perhaps more sobering: the discovery that patience and social engineering outperform complexity.
- State-aligned hackers from Russia and China are hijacking Microsoft 365 accounts not through brute force, but by weaponizing Microsoft's own legitimate device authorization flow — a method that leaves almost no fingerprints.
- The attack has surged dramatically since January 2025, spreading from niche red team exercises into widespread coordinated campaigns, signaling that something — possibly a tool sold on hacking forums — has lowered the barrier to entry.
- Victims are tricked into entering what appears to be a routine verification code, the kind encountered daily across the internet, making the deception nearly invisible against the noise of normal digital life.
- Microsoft's Defender tools offer partial detection, but security researchers at Proofpoint warn that technical defenses alone are insufficient — the human instinct to comply with familiar-looking prompts remains the campaign's most reliable exploit.
- Organizations are being urged to block device code flow entirely through conditional access policies, or at minimum restrict it to a narrow allow-list, as the window between attack and account compromise can be measured in seconds.
Hackers with suspected ties to China and Russia are running coordinated campaigns to seize Microsoft 365 accounts — and they're doing it by turning Microsoft's own security infrastructure against its users. The technique is called device code phishing, and its quiet effectiveness is what makes it remarkable.
Researchers at Proofpoint have tracked multiple state-aligned threat clusters abusing OAuth device code authorization since January 2025. Russian-aligned groups are leading the campaigns, with suspected Chinese actors and other unattributed espionage operations using the same method. What's unusual isn't the technique itself — Russian groups had been experimenting with it since August 2024 — but the scale at which nation-state actors are now deploying it simultaneously.
The attack requires no malware and no exotic exploits. A target receives a message containing a link, a button, or a QR code. Following it initiates Microsoft's legitimate device authorization process — a system designed to help users sign in on devices without full keyboards or browsers. The user is presented with a device code and directed to enter it at Microsoft's verification page. It looks indistinguishable from a routine one-time code. The moment they comply, the attacker gains full access to the account. The entire sequence runs on trust and familiarity.
By September 2025, Proofpoint confirmed the campaigns had become widespread enough to demand urgent attention. The scaling may be partly explained by a malicious tool circulating on hacking forums, though red team software capable of facilitating such attacks has existed for some time. The simpler explanation may be that the method works, reliably and at volume.
Microsoft notes that Defender for Office 365 can detect associated phishing components, but Proofpoint's guidance goes further: organizations should implement conditional access policies that block device code flow entirely where possible, permitting it only for specific trusted scenarios. The deeper vulnerability, researchers emphasize, is human — users who would never click a suspicious attachment will enter a code that looks official without a second thought. The attackers are counting on exactly that.
Hackers with suspected ties to China and Russia are running a coordinated campaign to break into Microsoft 365 accounts, and they're doing it using a method that sits somewhere between crude and clever: device code phishing. The technique exploits Microsoft's own legitimate authorization system, turning the company's security infrastructure into a weapon against its users.
Microsoft has long been a magnet for attackers of every stripe, from sophisticated state-sponsored groups to basic credential-stuffing opportunists. When nation-states get involved, you might expect surgical precision and cutting-edge malware. What researchers at Proofpoint have actually found is something more pedestrian but no less effective. Since January 2025, multiple threat clusters aligned with state actors have been abusing OAuth device code authorization to take over accounts. Russian-aligned groups are leading the charge, though suspected Chinese activity and other unattributed espionage campaigns are also using the same vector. The uptick is notable because while device code phishing itself isn't new—Russian groups have been experimenting with it since August 2024—seeing multiple nation-state actors deploy it at scale is unusual.
The attack itself is straightforward enough. A target receives a message containing a URL, hidden behind a button, embedded in a QR code, or just sitting there as a link. Click it, and the device code phishing sequence begins. The attacker leverages Microsoft's legitimate device authorization process, which is designed to let users sign in on devices that lack a full keyboard or browser. The user is shown a device code—either on the landing page or in a follow-up email from the attacker—and told to enter it at Microsoft's verification URL. It looks like a standard one-time code, the kind of thing millions of people enter every day. Once the user complies, the original token validates, and the attacker gains full access to the Microsoft 365 account. No malware required. No zero-day exploits. Just social engineering and a legitimate Microsoft process turned inside out.
Proofpoint's December 18 report confirmed that by September 2025, these campaigns had become widespread—unusual enough to warrant urgent attention from security researchers. The technique had previously been limited to small red team exercises and targeted attacks, but something changed. One possibility is the availability of a malicious application being sold on hacking forums, though the researchers note that red team tools capable of facilitating such attacks have been around for a while. The real driver may simply be that the method works and scales.
Microsoft has responded by noting that Microsoft Defender for Office 365 can detect malicious emails, HTML files, and other components associated with device code phishing. But detection is only part of the answer. Proofpoint's recommendation is more aggressive: organizations should implement conditional access policies that block device code flow for all users where possible, and use an allow-list approach—permitting it only for specific, trusted scenarios—where blocking it entirely isn't feasible. The human element remains the weakest link. Users need to understand that requests to enter two-factor authentication codes, device codes, or any form of verification can be phishing attempts, even when they appear to come from legitimate Microsoft processes. The attackers are betting that most people won't think twice before entering a code that looks official.
Citas Notables
We have tracked multiple state-aligned threat actors abusing OAuth device code authorization for account takeover since January 2025, with Russia-aligned actors most widely using this technique, though suspected China-aligned activity and other unattributed espionage campaigns are also using this attack vector.— Proofpoint threat research team
Organizations should create a conditional access policy that blocks device code flow for all users where possible, and employ an allow-list approach where not.— Proofpoint
La Conversación del Hearth Otra perspectiva de la historia
Why would nation-states bother with something this simple? Wouldn't they have access to more sophisticated tools?
They would, and they do. But this works. It's reliable, it scales, and it doesn't require zero-days or custom malware. When you're trying to compromise hundreds or thousands of accounts, simplicity is an asset.
So the attacker never actually breaks into Microsoft's systems?
No. They're not attacking Microsoft. They're attacking the user. They're using Microsoft's own authorization process as a delivery mechanism. The company's security is working exactly as designed—it's the human on the other end who's the vulnerability.
If Microsoft Defender can detect these attacks, why is the surge still happening?
Detection and prevention aren't the same thing. Defender can flag suspicious emails, but if the user has already clicked the link and entered the code, detection comes too late. The real defense is preventing the device code flow from working in the first place, or making sure users never see the phishing message at all.
What makes this different from regular phishing?
The legitimacy. A typical phishing email tries to trick you into going to a fake login page. This one sends you to a real Microsoft process. The code you're entering is real. The authorization flow is real. The only fake part is the person asking you to do it.
Are individual users at risk, or is this mainly targeting organizations?
Both. But organizations are the real target. A compromised corporate account gives you access to email, files, collaboration tools, and often the internal network. That's why the nation-states are doing this at scale.