logo

When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website

ID: b692a25e-f5dc-50c6-b8ae-115e2ee73451

STIX ID: report--b692a25e-f5dc-50c6-b8ae-115e2ee73451

Feed Name: Securelist by Kaspersky

Threat Score
70/100

Date Published: 2026-07-06

Date Updated: 2026-07-06

Author: Roman Dedenok

...
...

This report details Device Code Phishing: attackers use legitimate services (e.g., Microsoft, Cacoo) and open redirects or malicious PDFs to present one-time device codes to victims, who are then redirected to Microsoft’s official device login page to paste the code; the threat actor harvests the resulting access and refresh tokens to take over accounts (read/send email, exfiltrate OneDrive files, access Teams). The analysis covers an observed April–May 2026 campaign and Brazilian variants and provides detection and mitigation guidance including disabling Device Code Flow if unnecessary and monitoring DeviceCodeSignIn events.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.