logo

Device code phishing bypasses password stealing

ID: 2f60e565-78e3-5113-8c6f-4d2737569189

STIX ID: report--2f60e565-78e3-5113-8c6f-4d2737569189

Feed Name: ReversingLabs Blog

Threat Score
75/100

Date Published: 2026-06-12

Date Updated: 2026-06-13

Author: Robert Simmons

...
...

This report details an active Microsoft 365 "device code" phishing campaign that tricks corporate users into authorizing attacker-controlled devices via the legitimate OAuth Device Authorization Grant flow; it covers the email lure, landing-page code (use of invisible Unicode chars and automated device-code beaconing), network detection patterns, a YARA rule to detect landing pages, and a large list of IoC URLs, and provides detection and mitigation recommendations.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.