Russian spies have been using a clever phishing technique to hijack Microsoft 365 accounts, researchers warned. The technique is called device code phishing, which exploits the industry-wide OAuth standard to gain unauthorized access.
Here’s how it works: threat actors send a message masquerading as a trusted official, asking the user to verify their account on a messaging app. The user clicks the link and enters a device code displayed on a less secure device. The remote server sends a token that logs the user into their Microsoft 365 account.
This technique is particularly effective because it uses two paths of authentication: one from an app on the less secure device and another from the user’s main browser. Security firms Volexity and Microsoft have issued advisories warning of this threat, which has been ongoing since at least August.
Source: https://arstechnica.com/information-technology/2025/02/russian-spies-use-device-code-phishing-to-hijack-microsoft-accounts