Full Report
Cybersecurity researchers are calling attention to an active device code phishing campaign that's targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany. The activity, per Huntress, was first spotted on February 19, 2026, with subsequent cases appearing at an accelerated pace since then. Notably, the campaign leverages
Analysis Summary
# Incident Report: Large-Scale Device Code Phishing Campaign
## Executive Summary
An active device code phishing campaign is currently targeting Microsoft 365 identities across over 340 organizations globally. The campaign leverages the "device code flow" authentication protocol to bypass Multi-Factor Authentication (MFA), leading to unauthorized account access and potential data exposure. Security firm Huntress identified the activity starting in February 2026, noting a significant acceleration in attack frequency across multiple Western regions.
## Incident Details
- **Discovery Date:** February 19, 2026
- **Incident Date:** February 19, 2026 – Ongoing (First reported span)
- **Affected Organization:** 340+ unidentified organizations (Managed Service Provider clients)
- **Sector:** Diversified (Cross-sector)
- **Geography:** U.S., Canada, Australia, New Zealand, and Germany
## Timeline of Events
### Initial Access
- **Date/Time:** Commencing February 19, 2026.
- **Vector:** Phishing via Device Code Flow.
- **Details:** Attackers send phishing emails (often disguised as shared documents or IT alerts) that direct users to `microsoft[.]com/devicelogin`. The user is prompted to enter a code provided by the attacker, which then grants the attacker an OAuth token.
### Lateral Movement
- **Details:** Once the initial account is compromised via the device code, attackers utilize the valid session to access internal resources, SharePoint sites, and Global Address Lists (GAL) to identify further targets.
### Data Exfiltration/Impact
- **Details:** Unauthorized access to Microsoft 365 environments, including emails, OneDrive files, and sensitive corporate data. The primary impact is the unauthorized hijacking of authenticated sessions.
### Detection & Response
- **How it was discovered:** Huntress researchers identified anomalous login patterns and suspicious device code authentication requests across their partner base.
- **Response actions taken:** Revocation of active sessions, resetting of credentials, and blocking of known malicious sender domains.
## Attack Methodology
- **Initial Access:** Device Code Phishing (Adversary-in-the-Middle style results).
- **Persistence:** Implementation of OAuth refresh tokens which allow long-term access without requiring re-authentication.
- **Privilege Escalation:** Not explicitly detailed, but typically involves searching for administrative credentials within the mailbox.
- **Defense Evasion:** Use of legitimate Microsoft infrastructure (`microsoft[.]com/devicelogin`) to host the login prompt, making the URL appear benign to users and security filters.
- **Credential Access:** Theft of authentication tokens rather than raw passwords (MFA bypass).
- **Discovery:** Enumeration of internal directories and file structures via the compromised M365 account.
- **Lateral Movement:** Internal phishing or using the "Device Code" method on secondary internal accounts.
- **Collection:** Bulk downloading of cloud-hosted documents.
- **Exfiltration:** Transfer of data via authenticated cloud sessions.
- **Impact:** Identity theft and potential business email compromise (BEC).
## Impact Assessment
- **Financial:** Not yet quantified; potential for significant losses via BEC/wire fraud.
- **Data Breach:** High risk; unauthorized access to corporate cloud repositories and communications.
- **Operational:** Disruption due to account lockouts and mandatory password/session resets for 340+ organizations.
- **Reputational:** Significant risk to affected organizations and MSPs involved.
## Indicators of Compromise
- **Network indicators:** (Defanged examples associated with this type of activity)
- `microsoft[.]com/devicelogin` (Legitimate site used maliciously)
- Suspicious sender domains (e.g., `sharepoint-docs[.]top`)
- **Behavioral indicators:**
- Logins categorized as "Device Code" authentication in Azure AD Sign-in logs.
- Logins from atypical geographic locations (relative to the user's baseline).
- Rapid creation of new inbox rules to hide phishing replies.
## Response Actions
- **Containment:** Revoke all current Refresh Tokens for compromised users.
- **Eradication:** Scan and remove any persistence mechanisms (e.g., newly added malicious OAuth apps or inbox forwarders).
- **Recovery:** Mandatory password resets and re-enrollment of MFA devices where necessary.
## Lessons Learned
- **Key takeaways:** Attackers are increasingly moving away from traditional phishing pages toward abusing legitimate authentication workflows like Device Code Flow.
- **Gaps:** Standard MFA is not a silver bullet against device code phishing, as the user is essentially performing the MFA for the attacker.
## Recommendations
- **Disable Device Code Flow:** If not required for business operations, disable this feature in Microsoft Entra (Azure AD).
- **Conditional Access:** Implement strict Conditional Access policies to restrict logins to compliant/managed devices or specific IP ranges.
- **User Training:** Educate staff that they should *never* enter a code into a Microsoft login page unless they initiated the request themselves on that specific device.
- **Monitoring:** Set up alerts for "Authentication Method: Device Code" within Microsoft 365 security logs.