Microsoft Device Code Phishing Attack Steals Tokens via Login Page
Key Takeaways A novel phishing technique leverages a legitimate Microsoft authentication feature, the Device Code Flow, to steal user tokens. The attack bypasses traditional phishing defenses because...
Key Takeaways
- A novel phishing technique leverages a legitimate Microsoft authentication feature, the Device Code Flow, to steal user tokens.
- The attack bypasses traditional phishing defenses because victims interact solely with genuine Microsoft login pages, making it highly deceptive.
- Attackers gain unauthorized access to email, files, and chat messages by tricking users into approving a device code initiated by the adversary.
- Multifactor authentication (MFA) offers limited protection once the user approves the device code, highlighting a significant security gap.
- The campaign, observed from April to mid-May 2026, targeted real victims and has adapted for different regions.
Sophisticated Phishing Attack Exploits Microsoft Device Code Flow
Cybersecurity researchers have uncovered an advanced phishing technique that enables attackers to compromise Microsoft accounts by manipulating a legitimate authentication feature. This method, which exploits Microsoft’s Device Authorization Grant (also known as the Device Code Flow), allows adversaries to steal access tokens without ever directing victims to a fake website, thereby circumventing common user vigilance against malicious URLs.
Table Of Content
How the Device Code Flow Phishing Works
The Device Code Flow is a Microsoft feature designed to facilitate logins on input-constrained devices, such as smart TVs or printers. It permits users to authenticate by entering a unique code displayed on the device into a separate browser on a different device. Attackers have weaponized this mechanism to trick users into unknowingly granting them access to their Microsoft accounts.
Researchers from Securelist said in a report that they observed an active campaign utilizing this technique against real targets from April to mid-May 2026. The attack typically begins with a phishing email, often disguised as an official notice from a law firm, containing a password-protected PDF attachment.
The Attack Sequence
Upon opening the malicious PDF, victims are guided through a series of steps designed to appear legitimate. The document contains a link that purports to lead to important files but instead redirects the user to a convincing fake legal portal. This portal incorporates CAPTCHA checks, likely intended to deter automated analysis and make the page seem more authentic. After successfully navigating these checks, the victim is presented with a unique, one-time code and instructions to copy it.
Crucially, clicking this code not only copies it to the clipboard but also immediately redirects the user to Microsoft’s genuine authentication page. Here, the victim is prompted to paste the code, completing what they believe is a standard login process for the “important files.”
Unbeknownst to the victim, the attacker’s system had already initiated a device code request with Microsoft’s servers. By entering the code, the user inadvertently authorizes the attacker’s “device.” This approval grants the attacker access tokens, enabling them to read and send emails, retrieve files from OneDrive, and view Teams conversations—all without needing the user’s password. This method is particularly dangerous as it renders traditional advice about checking website URLs ineffective, as the final authentication occurs on a legitimate Microsoft domain, and even multifactor authentication provides little defense once the code is approved.
Adaptive Campaign and Broader Implications
Securelist noted that the threat actors behind this campaign are adaptive. They identified a variant targeting users in Brazil, which replaced the initial malicious PDF with a link delivered via a legitimate diagramming website. Despite this change in delivery, the core mechanism remained the same: victims were still routed to the unique code screen and then to the authentic Microsoft login page, demonstrating the technique’s versatility across different phishing vectors.
What You Should Do
- Be Skeptical of Unexpected Login Requests: Never approve a device login request or enter a code if you did not personally initiate the login process, regardless of how official the prompt appears.
- Verify Links Carefully: Before clicking any link, hover over it to inspect the destination URL. Look for suspicious parameters or unexpected redirects, even if the primary domain seems legitimate.
- Review Device Code Flow Usage: Organizations should assess whether the Device Code Flow is essential for their daily operations. If not, consider disabling it through Conditional Access policies to mitigate this attack vector.
- Monitor for Suspicious Activity: Security teams should actively monitor for DeviceCodeSignIn events and enforce strict device compliance rules. Set up alerts for sign-ins originating from unusual locations or unmanaged devices.
- Enhance Email Security: Implement robust email security solutions capable of filtering out sophisticated phishing attempts, including those with password-protected attachments or links embedded within legitimate-looking documents.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.