Go With the Flow: Abusing OAuth Device Code Flow

LevelBlue GTO analyzed a phishing campaign that leverages Microsoft’s OAuth 2.0 Device Code Flow: a malicious site dynamically requests a device_code from Microsoft, displays the user_code to victims via a fake Adobe page, and polls for token issuance—resulting in account compromise and persistent access (refresh tokens). The report details the JavaScript workflow, compromised redirect infrastructure, detection KQL queries, recommended mitigations (block the Device Code Flow via Conditional Access), and provides an observed IOC (https://adobe.safest.org/).