Device Code Phishing: Microsoft 365 Attack That Steals No Passwords

ReversingLabs and SecurityOnline.info report an active phishing campaign that hijacks Microsoft 365 accounts by abusing the OAuth 2.0 device authorization flow: victims are lured to a legitimate Microsoft device-login page and told to enter a verification code, which actually grants the attacker an OAuth token and silent account takeover. The kit evades detection using invisible Unicode characters and by routing through legitimate Microsoft/Akamai URLs, while maintaining a constant four-second beacon to keep the attacker’s flow synchronized; defenders are advised to hunt for the beaconing pattern and review Entra ID sign-in logs.