Hackers invented a phishing in which the victim hacks itself.
Fraudsters and state-affiliated hacker groups began to massively apply a new scheme of theft of Microsoft 365 accounts. Instead of stealing passwords, the attackers convince the victim to independently give access to the account through the official Microsoft authorization mechanism. For the attack, links, QR codes and fake notifications about documents, bonuses or security checks are used.
Proofpoint experts reported that since September 2025, the number of such campaigns has increased dramatically. Previously, attacks using so-called device codes were rare and were mainly used in point operations. Now the scheme is used by several groups at once, including a financially motivated TA2723 and alleged cyber spies associated with China.
The attack is built around the OAuth Device Code Flow mechanism, which Microsoft has created to log in to devices with disabilities – for example, TVs or consoles. The user receives a special code and enters it on the official Microsoft page to confirm the login. After confirmation, the service issues an access token.
The attackers have learned to use this procedure in their own interests. The victim receives a letter with a link, button or QR code. The message may be disguised as a notification of a new document, a premium, corporate benefits or a request for re-authorization. After the transition, the user gets to a fake site, where he receives the code and enter it on this Microsoft portal. As a result, the attacker receives access to the account.
One of the most notable campaigns was the distribution with the theme “Salary Bonus + Employer Benefit Reports 25”. Users were promised a document with information about bonuses and benefits. The link in the letter was carried on the site of intruders, decorated under the corporate portal of the victim’s company. After entering the email address, the visitor was shown a window with a “multifactory authentication code” and redirected to the microsoft.com/devicelogin page. The entry of the code actually transferred control of the Microsoft 365 account to fraudsters.
The grouping TA2723 used a similar scheme in October 2025. The victims were sent letters about the allegedly updated salary statement. After clicking on the opening button of the document, the user got to the one-time code generation page, and then redirected to the official Microsoft service to confirm access.
For such attacks, attackers actively use ready-made tools. Among them, experts have selected the sets of SquarePhish2 and Graphish. The first helps automate phishing campaigns with QR codes and Microsoft device authorization codes. The second allows you to create fake login pages and intercept user sessions through a reverse proxy server.
Of particular concern to Proofpoint is the growing activity of groups associated with states. Since January 2025, experts have recorded numerous cyber espionage campaigns using the device code phishing scheme.
One of these groups, Proofpoint is tracked by the name UNK_AcademicFlare. Since September 2025, attackers have used hacked mailboxes of government and military organizations to contact universities, think tanks and transport companies in the United States and Europe. First, the victim was sent a harmless letter and corresponded on professional topics, and later offered to read the document at the link. The link was led to a fake OneDrive service, placed through Cloudflare Workers, where the user was asked to copy the code and confirm the login through the official Microsoft portal.
After a successful attack, attackers get full access to the mail and data of Microsoft 365. Next, it is possible: embezzlement of documents, consolidation in the company's infrastructure, movement over the internal network and new attacks on behalf of the hacked user.
Proofpoint believes that the popularity of such schemes will continue to grow – especially against the background of the transition of companies to passwordless authentication and input methods based on FIDO. The company recommends, if possible, completely disable authorization through the device code flow, limit the list of authorized devices and additionally train employees not to enter authorization codes received from emails or messages from unknown senders.
Fraudsters and state-affiliated hacker groups began to massively apply a new scheme of theft of Microsoft 365 accounts. Instead of stealing passwords, the attackers convince the victim to independently give access to the account through the official Microsoft authorization mechanism. For the attack, links, QR codes and fake notifications about documents, bonuses or security checks are used.
Proofpoint experts reported that since September 2025, the number of such campaigns has increased dramatically. Previously, attacks using so-called device codes were rare and were mainly used in point operations. Now the scheme is used by several groups at once, including a financially motivated TA2723 and alleged cyber spies associated with China.
The attack is built around the OAuth Device Code Flow mechanism, which Microsoft has created to log in to devices with disabilities – for example, TVs or consoles. The user receives a special code and enters it on the official Microsoft page to confirm the login. After confirmation, the service issues an access token.
The attackers have learned to use this procedure in their own interests. The victim receives a letter with a link, button or QR code. The message may be disguised as a notification of a new document, a premium, corporate benefits or a request for re-authorization. After the transition, the user gets to a fake site, where he receives the code and enter it on this Microsoft portal. As a result, the attacker receives access to the account.
One of the most notable campaigns was the distribution with the theme “Salary Bonus + Employer Benefit Reports 25”. Users were promised a document with information about bonuses and benefits. The link in the letter was carried on the site of intruders, decorated under the corporate portal of the victim’s company. After entering the email address, the visitor was shown a window with a “multifactory authentication code” and redirected to the microsoft.com/devicelogin page. The entry of the code actually transferred control of the Microsoft 365 account to fraudsters.
The grouping TA2723 used a similar scheme in October 2025. The victims were sent letters about the allegedly updated salary statement. After clicking on the opening button of the document, the user got to the one-time code generation page, and then redirected to the official Microsoft service to confirm access.
For such attacks, attackers actively use ready-made tools. Among them, experts have selected the sets of SquarePhish2 and Graphish. The first helps automate phishing campaigns with QR codes and Microsoft device authorization codes. The second allows you to create fake login pages and intercept user sessions through a reverse proxy server.
Of particular concern to Proofpoint is the growing activity of groups associated with states. Since January 2025, experts have recorded numerous cyber espionage campaigns using the device code phishing scheme.
One of these groups, Proofpoint is tracked by the name UNK_AcademicFlare. Since September 2025, attackers have used hacked mailboxes of government and military organizations to contact universities, think tanks and transport companies in the United States and Europe. First, the victim was sent a harmless letter and corresponded on professional topics, and later offered to read the document at the link. The link was led to a fake OneDrive service, placed through Cloudflare Workers, where the user was asked to copy the code and confirm the login through the official Microsoft portal.
After a successful attack, attackers get full access to the mail and data of Microsoft 365. Next, it is possible: embezzlement of documents, consolidation in the company's infrastructure, movement over the internal network and new attacks on behalf of the hacked user.
Proofpoint believes that the popularity of such schemes will continue to grow – especially against the background of the transition of companies to passwordless authentication and input methods based on FIDO. The company recommends, if possible, completely disable authorization through the device code flow, limit the list of authorized devices and additionally train employees not to enter authorization codes received from emails or messages from unknown senders.
