Uncovering The Sophisticated Phishing Campaign Bypassing M365 MFA
KnowBe4, Thursday, February 12th, 2026
KnowBe4 Threat Labs has detected a sophisticated phishing campaign targeting North American businesses and professionals.
This attack compromises Microsoft 365 accounts (Outlook, Teams, OneDrive) by abusing the OAuth 2.0 Device Authorization Grant flow, bypassing strong passwords and Multi-Factor Authentication (MFA).
The victim is directed to the legitimate Microsoft domain (microsoft.com/devicelogin) portal to enter an attack-supplied device code. This action authenticates the victim and issues a valid OAuth access token to the attacker's application. The real-time theft of these tokens grants the attacker persistent access to the victim's Microsoft 365 accounts and corporate data.