Microsoft 365 account identities are being stolen!

SCWorld.com reported that “A threat actor was observed using device code phishing to trick unsuspecting users into granting a cybercriminal access to their Microsoft 365 accounts.”  The December 22, 2025 article entitled " Threat groups steal identities to access Microsoft 365 accounts” (https://tinyurl.com/269zurae) included these comments:

In a Dec. 18 blog post, Proofpoint Threat Research explained that in device code phishing, an attacker will socially engineer someone into logging into an application with legitimate credentials. The app then generates a token that’s obtained by the threat actor, which gives them control over the Microsoft 365 account.

While it’s not a novel technique, the Proofpoint team pointed out that it’s notable to see it used increasingly by multiple threat clusters, including TA2723, a tracked financially motivated cybercriminal threat actor.

“Over the last few years, there has been an increasing focus by threat actors on identity, including account takeovers, which is the result of a successful attack using the OAuth device code phishing technique we’ve reported,” said Sarah Sabotka, a staff threat researcher at Proofpoint. “If a threat actor can successfully establish a foothold by compromising a legitimate user’s identity, the opportunities for upstream attacks are endless.”

Are you surprised?