{"id":234069,"date":"2026-03-26T02:19:58","date_gmt":"2026-03-26T07:19:58","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2026\/03\/device-code-phishing-hits-340-microsoft-365-orgs-across-five-countries-via-oauth-abuse"},"modified":"2026-03-26T02:19:58","modified_gmt":"2026-03-26T07:19:58","slug":"device-code-phishing-hits-340-microsoft-365-orgs-across-five-countries-via-oauth-abuse","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2026\/03\/device-code-phishing-hits-340-microsoft-365-orgs-across-five-countries-via-oauth-abuse","title":{"rendered":"Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/device-code-phishing-hits-340-microsoft-365-orgs-across-five-countries-via-oauth-abuse.jpg\"><\/a><\/p>\n<p>Construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government are some of the prominent sectors targeted as part of the campaign.<\/p>\n<p>\u201cWhat also makes this campaign unusual is not just the device code phishing techniques involved, but the variety of techniques observed,\u201d the company said. \u201cConstruction bid lures, landing page code generation, DocuSign impersonation, voicemail notifications, and abuse of Microsoft Forms pages are all hitting the same victim pool through the same <a href=\"http:\/\/Railway.com\">Railway.com<\/a> IP infrastructure.\u201d<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2025\/12\/russia-linked-hackers-use-microsoft-365.html\" rel=\"noopener\" target=\"_blank\">Device code phishing<\/a> refers to a technique that exploits the <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity-platform\/v2-oauth2-device-code\" rel=\"noopener\" target=\"_blank\">OAuth device authorization flow<\/a> to grant the attacker persistent access tokens, which can then be used to seize control of victim accounts. What\u2019s significant about this attack method is that the tokens remain valid even after the account\u2019s password is reset.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government are some of the prominent sectors targeted as part of the campaign. \u201cWhat also makes this campaign unusual is not just the device code phishing techniques involved, but the variety of techniques observed,\u201d the company said. \u201cConstruction bid lures, landing page code generation, DocuSign [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,45,1490,1496],"tags":[],"class_list":["post-234069","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode","category-finance","category-government","category-law"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/234069","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=234069"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/234069\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=234069"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=234069"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=234069"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}