logo

Attackers Use Password-Protected PDF Lures to Launch Microsoft Device Code Phishing

ID: 3f0c3338-0336-5e48-9cb2-893f72ea72ae

STIX ID: report--3f0c3338-0336-5e48-9cb2-893f72ea72ae

Feed Name: Cyber Press

Threat Score
72/100

Date Published: 2026-07-06

Date Updated: 2026-07-06

Author: Varshini

...
...

Researchers observed a Device Code Phishing campaign (April–May 2026) that leverages password-protected PDF lures, CAPTCHAs, and open redirects to legitimate Microsoft and trusted platforms to trick victims into copying and pasting one-time device codes into the official Microsoft device login flow. Because the login occurs on bona fide Microsoft pages, victims complete MFA and the attackers receive access, identity, and refresh tokens enabling persistent, stealthy access to corporate email, OneDrive, and Teams; the report recommends user training to never approve device codes they didn't initiate, inspecting URL redirect parameters, and enforcing Conditional Access policies.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.