Uncovering a New Device Code Phishing Campaign

This report describes a phishing campaign that abuses Microsoft device code authentication by hosting Adobe-themed lures on Cloudflare workers.dev domains; attackers auto-copy device codes and direct victims to Microsoft’s device login to capture OAuth tokens. The document provides code analysis, a list of observed workers.dev phishing domains and inferred sender addresses, Log Analytics detection queries, and recommended detection hunts to surface device-code-based compromises.