EXECUTIVE SUMMARY
An unidentified threat group is running a Microsoft 365 device‑code phishing campaign that exploits the OAuth 2.0 Device Authorization Grant flow. The operation targets corporate Office 365 users across North America and Europe, with a focus on finance, legal and engineering departments. By tricking victims into authorising a counterfeit device, the attackers obtain valid access tokens without capturing passwords. The primary objective is account takeover for data extraction and further internal reconnaissance. The campaign blends realistic business‑related lures with legitimate Microsoft login pages to increase acceptance.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
An unidentified threat group is running a Microsoft 365 device‑code phishing campaign that exploits the OAuth 2.0 Device Authorization Grant flow. The operation targets corporate Office 365 users across North America and Europe, with a focus on finance, legal and engineering departments. By tricking victims into authorising a counterfeit device, the attackers obtain valid access tokens without capturing passwords. The primary objective is account takeover for data extraction and further internal reconnaissance. The campaign blends realistic business‑related lures with legitimate Microsoft login pages to increase acceptance.[emaillocker id="1283"]
The phishing email delivers an image attachment that doubles as a clickable link to a counterfeit landing page. Once the victim follows the link, the page displays a device code and instructs the user to paste it into a genuine Microsoft authentication popup. Because the popup is part of Microsoft’s own device‑login endpoint, the user unwittingly grants the attacker’s device access to the target account. The stolen token is then used to enumerate mailboxes, download attachments and move laterally to other cloud services. Persistent access is maintained through refresh tokens that automatically renew without further user interaction.
The campaign matters because it bypasses traditional password‑based defenses by abusing a legitimate authentication flow, making detection through credential‑theft alerts ineffective. Its reliance on Microsoft’s own endpoints also complicates network‑level blocking, while the short‑lived tokens reduce the window for incident response. Organisations should enforce conditional access policies that require MFA for device‑code grants, monitor Entra ID sign‑in logs for unusual device authorisations, and educate users to question unexpected authentication prompts. Regular backups, endpoint protection with behavioural analytics, and prompt patching of email gateways further reduce the risk of compromise.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.004 | Phishing | Spearphishing Voice |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Defense Evasion | T1027.005 | Obfuscated Files or Information | Indicator Removal from Tools |
| Defense Evasion | T1036 | Masquerading | — |
| Initial Access | T1078 | Valid Accounts | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/microsoft-365-device-code-phishing-campaign/
https://www.reversinglabs.com/blog/device-code-phishing-campaign