Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Device Code Phishing Attack Steals Tokens via Login Page
July 6, 2026
Critical Gemini Live Voice flaw lets attackers inject tools via misconfigured tokens
July 6, 2026
Gentlemen Ransomware Exploits 21 Remote Execution Techniques
July 6, 2026
Home/Threats/Microsoft Device Code Phishing Attack Steals Tokens via Login Page
Threats

Microsoft Device Code Phishing Attack Steals Tokens via Login Page

Key Takeaways A novel phishing technique leverages a legitimate Microsoft authentication feature, the Device Code Flow, to steal user tokens. The attack bypasses traditional phishing defenses because...

Jennifer sherman
Jennifer sherman
July 6, 2026 3 Min Read
2 0

Key Takeaways

  • A novel phishing technique leverages a legitimate Microsoft authentication feature, the Device Code Flow, to steal user tokens.
  • The attack bypasses traditional phishing defenses because victims interact solely with genuine Microsoft login pages, making it highly deceptive.
  • Attackers gain unauthorized access to email, files, and chat messages by tricking users into approving a device code initiated by the adversary.
  • Multifactor authentication (MFA) offers limited protection once the user approves the device code, highlighting a significant security gap.
  • The campaign, observed from April to mid-May 2026, targeted real victims and has adapted for different regions.

Sophisticated Phishing Attack Exploits Microsoft Device Code Flow

Cybersecurity researchers have uncovered an advanced phishing technique that enables attackers to compromise Microsoft accounts by manipulating a legitimate authentication feature. This method, which exploits Microsoft’s Device Authorization Grant (also known as the Device Code Flow), allows adversaries to steal access tokens without ever directing victims to a fake website, thereby circumventing common user vigilance against malicious URLs.

Table Of Content

  • Key Takeaways
  • Sophisticated Phishing Attack Exploits Microsoft Device Code Flow
  • How the Device Code Flow Phishing Works
  • The Attack Sequence
  • Adaptive Campaign and Broader Implications
  • What You Should Do

How the Device Code Flow Phishing Works

The Device Code Flow is a Microsoft feature designed to facilitate logins on input-constrained devices, such as smart TVs or printers. It permits users to authenticate by entering a unique code displayed on the device into a separate browser on a different device. Attackers have weaponized this mechanism to trick users into unknowingly granting them access to their Microsoft accounts.

Researchers from Securelist said in a report that they observed an active campaign utilizing this technique against real targets from April to mid-May 2026. The attack typically begins with a phishing email, often disguised as an official notice from a law firm, containing a password-protected PDF attachment.

The Attack Sequence

Upon opening the malicious PDF, victims are guided through a series of steps designed to appear legitimate. The document contains a link that purports to lead to important files but instead redirects the user to a convincing fake legal portal. This portal incorporates CAPTCHA checks, likely intended to deter automated analysis and make the page seem more authentic. After successfully navigating these checks, the victim is presented with a unique, one-time code and instructions to copy it.

Crucially, clicking this code not only copies it to the clipboard but also immediately redirects the user to Microsoft’s genuine authentication page. Here, the victim is prompted to paste the code, completing what they believe is a standard login process for the “important files.”

Unbeknownst to the victim, the attacker’s system had already initiated a device code request with Microsoft’s servers. By entering the code, the user inadvertently authorizes the attacker’s “device.” This approval grants the attacker access tokens, enabling them to read and send emails, retrieve files from OneDrive, and view Teams conversations—all without needing the user’s password. This method is particularly dangerous as it renders traditional advice about checking website URLs ineffective, as the final authentication occurs on a legitimate Microsoft domain, and even multifactor authentication provides little defense once the code is approved.

Adaptive Campaign and Broader Implications

Securelist noted that the threat actors behind this campaign are adaptive. They identified a variant targeting users in Brazil, which replaced the initial malicious PDF with a link delivered via a legitimate diagramming website. Despite this change in delivery, the core mechanism remained the same: victims were still routed to the unique code screen and then to the authentic Microsoft login page, demonstrating the technique’s versatility across different phishing vectors.

What You Should Do

  • Be Skeptical of Unexpected Login Requests: Never approve a device login request or enter a code if you did not personally initiate the login process, regardless of how official the prompt appears.
  • Verify Links Carefully: Before clicking any link, hover over it to inspect the destination URL. Look for suspicious parameters or unexpected redirects, even if the primary domain seems legitimate.
  • Review Device Code Flow Usage: Organizations should assess whether the Device Code Flow is essential for their daily operations. If not, consider disabling it through Conditional Access policies to mitigate this attack vector.
  • Monitor for Suspicious Activity: Security teams should actively monitor for DeviceCodeSignIn events and enforce strict device compliance rules. Set up alerts for sign-ins originating from unusual locations or unmanaged devices.
  • Enhance Email Security: Implement robust email security solutions capable of filtering out sophisticated phishing attempts, including those with password-protected attachments or links embedded within legitimate-looking documents.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitphishingSecurity

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical Gemini Live Voice flaw lets attackers inject tools via misconfigured tokens

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Microsoft Edge Bug (CVE-2024-XXXX) Lets Attackers Run Code Remotely
July 6, 2026
Windows 11 24H2, 25H2 Bug Triggers Black Screens, Start Menu Failure
July 6, 2026
IBM WebSphere Flaws Let Attackers Exploit XSS, Path Traversal
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us