A device code phishing campaign is actively targeting Microsoft 365 identities across more than 340 organizations in the United States, Canada, Australia, New Zealand, and Germany. The threat leverages OAuth abuse mechanisms to compromise corporate accounts and gain unauthorized access to organizational resources.

According to Huntress researchers, the campaign was first detected on February 19, 2026, with subsequent attacks appearing at an accelerated pace. The widespread nature of the campaign, spanning multiple countries and hundreds of organizations, indicates a coordinated and sophisticated threat operation targeting enterprise environments.

The attack vector exploits device code authentication flows, a legitimate OAuth feature that allows users to authenticate on devices with limited input capabilities. Threat actors abuse this mechanism to trick users into authorizing malicious applications, effectively bypassing traditional authentication controls and gaining persistent access to Microsoft 365 environments.

Organizations are advised to review their OAuth application permissions, implement conditional access policies, and monitor for suspicious device code authentication requests. Microsoft provides guidance on detecting and mitigating device code phishing attacks through their security documentation and threat intelligence feeds.

The campaign's multi-country scope and rapid acceleration suggest an organized threat group with significant resources and targeting capabilities, highlighting the ongoing evolution of social engineering attacks against cloud-based enterprise platforms.