When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website
ID: b692a25e-f5dc-50c6-b8ae-115e2ee73451
STIX ID: report--b692a25e-f5dc-50c6-b8ae-115e2ee73451
Feed Name: Securelist by Kaspersky
This report details Device Code Phishing: attackers use legitimate services (e.g., Microsoft, Cacoo) and open redirects or malicious PDFs to present one-time device codes to victims, who are then redirected to Microsoft’s official device login page to paste the code; the threat actor harvests the resulting access and refresh tokens to take over accounts (read/send email, exfiltrate OneDrive files, access Teams). The analysis covers an observed April–May 2026 campaign and Brazilian variants and provides detection and mitigation guidance including disabling Device Code Flow if unnecessary and monitoring DeviceCodeSignIn events.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
