Cybersecurity researchers have uncovered a large-scale phishing campaign targeting more than 340 Microsoft 365 organizations across countries including the U.S., Canada, Australia, New Zealand, and Germany. The campaign, first detected in February 2026, has been rapidly expanding, raising serious concerns about evolving identity-based cyber threats.
The attack uses a technique known as device code phishing, which exploits Microsoft’s legitimate OAuth device authentication flow. Instead of stealing passwords directly, attackers trick users into entering a code on the official Microsoft login page, unknowingly granting access to their accounts.
Once a victim enters the code along with their credentials and multi-factor authentication (MFA) details, attackers receive valid access and refresh tokens. These tokens allow persistent access to accounts—even if the user later resets their password—making the attack particularly dangerous.
The campaign stands out due to its sophisticated delivery methods. Attackers are using a mix of phishing lures such as fake DocuSign requests, voicemail alerts, construction bids, and Microsoft Forms pages to deceive users. These messages often pass through trusted services like Cisco and Mimecast to bypass security filters and increase credibility.
Technically, the attack infrastructure leverages legitimate platforms such as Cloudflare Workers and Railway, a cloud hosting service, to host malicious workflows and redirect victims. This use of trusted infrastructure helps attackers evade detection and makes the phishing attempts appear legitimate.
Another notable aspect is automation—some phishing pages dynamically generate the device code directly on the landing page, removing the need for attackers to manually share codes and making the attack more scalable.
Security experts warn that this technique is particularly effective because it abuses trusted authentication processes rather than exploiting software vulnerabilities. As a result, traditional defenses like password resets or even MFA may not fully mitigate the risk.
The incident highlights a broader shift in cyberattacks toward identity and token-based exploitation, emphasizing the need for organizations to adopt stronger monitoring, token revocation practices, and user awareness to defend against increasingly sophisticated phishing methods.
