logo

Hackers Use Trusted Microsoft Domain and One-Time Codes to Hijack Corporate Accounts

ID: 1eab2577-4884-54eb-bec3-dc2dcb489060

STIX ID: report--1eab2577-4884-54eb-bec3-dc2dcb489060

Feed Name: GBHackers

Threat Score
75/100

Date Published: 2026-07-06

Date Updated: 2026-07-06

Author: Mayura Kathir

...
...

A phishing campaign is abusing the OAuth 2.0 Device Authorization (Device Code) flow to get victims to paste attacker-supplied one-time codes into genuine Microsoft verification pages, leading to issuance of access and refresh tokens and prolonged stealthy access to corporate email, OneDrive, and Teams; defenders are advised to disable or restrict Device Code Flow where unnecessary, enforce strict Conditional Access, monitor DeviceCodeSignIn events, and train users to refuse unsolicited device authorizations.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.