CyberSecurityNews

Microsoft Device Code Phishing Attack Steals Tokens Through Legitimate Login Page


A new phishing technique is tricking users into handing over their Microsoft account tokens without a fake website in sight. Attackers are exploiting a legitimate Microsoft authentication feature to steal access to email, files, and chat messages.

The method works well because victims never leave the real Microsoft login page during the attack.

The technique targets a Microsoft feature called the Device Authorization Grant, also known as the Device Code Flow.

This feature helps devices without a keyboard, such as smart TVs or printers, log into an account using a code entered on a nearby phone. Attackers found a way to hijack this feature.

Researchers from Securelist identified a campaign running from April to mid May 2026 that used this method against real victims.

The attack began with an email disguised as a law firm notice, carrying a password protected PDF attachment designed to look official.

Securelist said in a report shared with Cyber Security News (CSN) that once opened, the PDF led victims through pages that connected them to Microsoft’s genuine login system, but with a twist.

The victim was asked to copy a one time code and paste it into the real Microsoft authentication page, unknowingly handing control of their account to the attacker.

The impact of this technique is significant because it bypasses the usual advice to check a website’s address before entering credentials.

Since the final login screen is authentic, even careful users can be fooled, and multi factor authentication offers little protection once the code is approved.

Microsoft Device Code Phishing Attack

The attack begins the moment a victim opens the malicious PDF attached to the phishing email.

The phishing email (Source – Securelist)

Inside the document, a link claims to lead to important files but redirects the user to a fake legal portal built to look convincing.

That fake portal “The phishing page,” includes CAPTCHA checks meant to block automated scanners. After clearing these checks, the victim reaches a screen displaying a one time code with instructions to copy it.

The phishing page (Source - Securelist)
The phishing page (Source – Securelist)

Clicking that code copies it to the clipboard and sends the victim straight to Microsoft’s real authentication page, “Official Microsoft authentication page.” There, the user pastes the code and completes login as a legitimate device would.

Official Microsoft authentication page (Source - Securelist)
Official Microsoft authentication page (Source – Securelist)

Behind the scenes, the attacker’s system had already requested this code from Microsoft’s servers.

Once approved, the attacker receives access tokens that allow reading and sending emails, pulling files from OneDrive, and viewing Teams conversations without needing a password.

Wider Reach and Protective Steps

This campaign was not a one time event. Securelist noted that the same group has adapted its approach for different regions, including a variant aimed at users in Brazil that swapped the PDF for a link through a legitimate diagramming website, “The Brazilian phishing variant”.

That version still routed victims to the same one time code screen and the same genuine Microsoft login page, showing the method can be reshaped for different audiences while keeping its core trick intact.

The users should never approve a device login request they did not personally start, no matter how official the email or website appears.

Users should also avoid entering codes from unexpected messages, even when the link points to a genuine Microsoft domain, since attackers can hide malicious redirects inside trustworthy links.

Before clicking any link, hover over it to check where it leads, watching for parameters that might redirect to unfamiliar destinations.

Organizations should review whether the Device Code Flow is needed for daily work, and disable it via Conditional Access policies if it serves no purpose.

Security teams should also watch for DeviceCodeSignIn events, enforce device compliance rules, and set alerts for sign ins from unusual locations.

Pairing these steps with strong email security that filters personal and corporate messages gives a stronger defense against this form of takeover.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.



Source link