What Happened
An active OAuth device code phishing campaign is targeting Microsoft 365 accounts across more than 340 organizations in five countries: the United States, Canada, Australia, New Zealand, and Germany. Researchers first detected the campaign on February 19, 2026, with activity accelerating significantly in the weeks since.
The attack exploits Microsoft’s legitimate OAuth 2.0 device authorization flow — the same mechanism used by smart TVs, printers, and other devices to authenticate without a keyboard. Victims receive phishing emails with URLs embedded inside redirect services operated by recognized security vendors including Cisco, Trend Micro, and Mimecast. Because the sending domain belongs to a trusted vendor, most email security gateways pass the message without flagging it.
Clicking the link routes the victim through a multi-hop chain involving Cloudflare Workers before landing on a prompt to enter a device authorization code. The victim then completes the authentication flow on Microsoft’s own login page — including any MFA challenge. When the process completes, the attacker receives valid access and refresh tokens for the victim’s account. Those tokens remain active even if the user later resets their password.
Stolen sessions are forwarded to attacker-controlled infrastructure hosted on Railway, a platform-as-a-service provider, making attribution and blocking more difficult. Targeted sectors include financial services, healthcare, government, legal, construction, real estate, and manufacturing.
Why This Matters for Canadian Organizations
Canada is explicitly listed as one of five targeted countries. Every sector named in the targeting profile — financial services, healthcare, government, legal — has deep representation across Canadian public and private institutions.
Device code phishing is one of the most effective identity attacks in circulation right now because it defeats MFA entirely. The attack does not steal passwords. It steals session tokens issued by Microsoft’s own authentication infrastructure after the user has already verified their identity. Standard MFA policies do not prevent this. Conditional access policies, unless specifically configured to flag device code grant flows, will not detect the compromise.
Canadian organizations with remote or hybrid workforces are particularly exposed. The attack is frictionless from the victim’s perspective: they receive what looks like a routine security prompt, complete a normal login, and the attacker gains persistent access to their account. Security training programmes focused on credential harvesting pages or malicious attachments do not prepare staff to recognize this vector.
The Communications Security Establishment (CSE) and the Canadian Centre for Cyber Security (CCCS) have not issued a specific advisory for this campaign, but the five-country targeting scope and the sectors involved warrant immediate action from Canadian security teams.
What to Do
Disable or restrict the OAuth device code authorization grant type in Microsoft Entra ID for any tenant where it is not operationally required. Review Entra ID sign-in logs for device code grant activity from unfamiliar IP addresses, geographic regions, or outside normal business hours. Implement Conditional Access policies requiring compliant and registered devices. Enable Continuous Access Evaluation to force re-authentication when suspicious signals are detected. Audit refresh token lifetimes and reduce them where acceptable. Brief staff: a prompt asking them to enter a code on a separate device or website during a routine login is a phishing indicator, regardless of the sender’s domain.
Source: The Hacker News
