Attackers Use Password-Protected PDF Lures to Launch Microsoft Device Code Phishing
ID: 3f0c3338-0336-5e48-9cb2-893f72ea72ae
STIX ID: report--3f0c3338-0336-5e48-9cb2-893f72ea72ae
Feed Name: Cyber Press
Researchers observed a Device Code Phishing campaign (April–May 2026) that leverages password-protected PDF lures, CAPTCHAs, and open redirects to legitimate Microsoft and trusted platforms to trick victims into copying and pasting one-time device codes into the official Microsoft device login flow. Because the login occurs on bona fide Microsoft pages, victims complete MFA and the attackers receive access, identity, and refresh tokens enabling persistent, stealthy access to corporate email, OneDrive, and Teams; the report recommends user training to never approve device codes they didn't initiate, inspecting URL redirect parameters, and enforcing Conditional Access policies.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
