Phishing Campaigns Exploit Microsoft 365 OAuth Flows in Widespread Account Takeover Attacks
SquarePhish2 and Graphish phishing toolkits are exploiting Microsoft 365 OAuth flows to bypass MFA and compromise enterprise accounts.
The OAuth Heist: Cybercriminals Weaponize Microsoft's Own Security to Bypass MFA
Dateline: January 29, 2026
A new threat intelligence report reveals the DNS infrastructure behind the SquarePhish2 and Graphish campaigns targeting enterprise Microsoft 365 accounts.
An increase in sophisticated phishing attacks is exploiting Microsoft 365's legitimate OAuth device code authorization flow, enabling threat actors to get around two-factor authentication and compromise enterprise accounts at scale, according to a new executive threat report released today.
What Happened?
These campaigns abuse Microsoft's OAuth 2.0 device authorization grant flow, a legitimate feature designed for input-constrained devices such as smart TVs and IoT devices. The attacks trick users into authorizing malicious applications by entering device codes on Microsoft's genuine authentication pages, making them nearly impossible to detect with standard phishing filters.
The Tools: SquarePhish2 and Graphish Lower the Barrier
Two phishing toolkits are driving the surge in these attacks:
SquarePhish2, an advanced version of a tool originally published by Dell SecureWorks in 2022, automates the entire OAuth device grant authorization flow. The toolkit integrates QR code functionality, can automatically redirect users to verification pages, and even sends follow-up emails containing verification codes to reinforce the illusion of legitimate multi-factor authentication. Security researchers explain SquarePhish2's user-friendly configuration means it doesn't need much technical expertise, making it open to a wider range of threat actors for sophisticated attacks.
Graphish, shared for free on vetted criminal hacking forums, represents an even more dangerous evolution. The malicious toolkit enables cyberattackers to create convincing phishing pages by using Azure App Registrations and reverse proxy setups. It supports adversary-in-the-middle (AiTM) attacks and can bypass organizational restrictions by verifying malicious applications with Azure, and increases success rates against enterprise accounts.
The Threat Actors: From Cybercriminals to Nation-States
The campaigns involve both financially motivated cybercriminals and state-aligned actors, demonstrating the technique's appeal across the threat landscape.
TA2723, a financially motivated high-volume credential phishing actor previously known for spoofing Microsoft OneDrive, LinkedIn, and DocuSign, began using OAuth device code phishing in October 2025. The group's campaigns used salary-themed lures with messages such as "OCTOBER_SALARY_AMENDED" and "Salary Bonus + Employer Benefits Reports 25" to entice victims to click malicious URLs.
Security researchers shared insights on how TA2723 used SquarePhish2 in early October campaigns (October 6-8), with later waves potentially shifting to Graphish (October 9-10), which shows rapid adoption and evolution of tactics.
UNK_AcademicFlare, an unknown Russia-aligned threat actor tracked since September 2025, has been using malicious government and military email accounts to build rapport with targets before launching device-code phishing attacks. The group primarily targets government, academic, think tank, and transportation sectors in the US and Europe.
UNK_AcademicFlare's approach is very sophisticated, and the actors conduct outreach from multiple accounts, arranging fictitious meetings or interviews, before sharing links to Cloudflare Workers that spoof OneDrive accounts. This multi-stage social engineering increases the success rate of breaches.
The Impact: Account Takeover and Beyond
Successful compromise of Microsoft 365 accounts enables threat actors to conduct extensive follow-on activities:
- Account takeover: Total control over victim email accounts and all other services
- Data exfiltration: Access to private communications, documents, and intellectual property
- Lateral movement: Using compromised credentials to access additional systems and accounts
- Persistent access: OAuth refresh tokens provide long-term access without triggering additional authentication prompts
- Business email compromise: Leveraging compromised accounts for financial fraud or further phishing campaigns
DNS Infrastructure Reveals Attack Scale
The newly released executive threat report provides expanded indicators of compromise (IoCs) and DNS signals that defenders can use to detect and block these attacks. The DNS infrastructure analysis shows the scope and sophistication of the campaigns' command-and-control networks.
Security teams are urged to download the full threat intelligence report to access detailed DNS indicators that can be incorporated into defensive strategies. These early signals enable organizations to identify malicious infrastructure before attacks reach end users.
Defensive Measures: Restricting OAuth Device Flows
Security experts recommend immediate action to protect against these attacks:
- Implement Conditional Access Policies
- Restrict to Managed Devices
- Limit by Location and Context
- Review Application Registrations
- User Education
- Monitor OAuth Activity
Looking Ahead
Many researchers expect the abuse of OAuth authentication to grow, particularly as organizations adopt FIDO-compliant MFA controls. The shift toward passwordless authentication, while enhancing security in many respects, creates new attack vectors that seasoned threat actors are prepared to exploit.
The widespread availability of tools like SquarePhish2 and Graphish, combined with their ease of use, suggests that OAuth device-code phishing will remain a persistent threat. Organizations that haven't yet addressed this attack vector face a significant risk of compromise.
