Rising Phishing Threat Exploits Microsoft Authentication Flows
A new phishing technique has surfaced, capitalizing on a legitimate Microsoft authentication mechanism to compromise corporate accounts without the need to steal passwords. This method leverages the OAuth 2.0 Device Authorization Grant, a system designed to allow users to sign in from devices that have limited input capabilities, such as smart TVs and printers.
This phishing tactic tricks victims into granting access via Microsoft’s authoritative domains, which raises significant concerns regarding traditional anti-phishing strategies. Unlike typical phishing attempts that manipulate suspicious domain names, these attacks target users at the official Microsoft domains, thus eluding standard detection methods that rely on domain scrutiny.
Mechanism of the Phishing Attack
The OAuth 2.0 Device Authorization Grant works by allowing authenticated devices to request user consent through a short user code and a corresponding verification URI, for instance, https://microsoft.com/devicelogin. In its proper usage, an unauthenticated device sends a request to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/devicecode, subsequently receiving a user code and verification URI. The device then displays this information to the user, who must approve it.
Upon user approval, the authorization server issues access tokens and refresh tokens, enabling the device to access resources seamlessly and renew access without requiring further user involvement.
Recent research by Kaspersky suggests that malicious entities have been actively utilizing this workflow. In phishing campaigns observed during April to May 2026, attackers disguise themselves as law firms or reputable organizations, sending emails that include either password-protected PDFs or links hosted on seemingly trustworthy third-party platforms like cacoo.com.
The Phishing Process
The supplied PDF or link takes victims to a phishing landing page that initially displays a one-time code, mimicking the attacker’s user code requested from Microsoft. Users are then redirected to the legitimate Microsoft verification URI, where they have been instructed to input the code. As this page is genuine, users unwittingly complete multi-factor authentication processes, ultimately approving access for an attacker-controlled device.
Once the approval is granted, attackers swiftly collect the access tokens, ID tokens, and crucially the refresh tokens. These tokens provide them with persistent and stealthy access to pivotal corporate resources such as email, OneDrive, and Microsoft Teams.
Evasive Tactics Employed by Attackers
The campaigns are sophisticated, employing various evasive measures to make detection challenging. For instance, attackers utilize CAPTCHA gates to thwart automated crawlers and leverage legitimate domains as open redirects. They also adapt their email language and design to target specific demographics, including localized variations such as Portuguese-language emails directed at Brazilian users.
Using reputable domains for redirection complicates the initial screening for organizations since phishing attacks appear to come from trustworthy sources, despite the underlying deceptive URL parameters leading victims to the attackers’ infrastructure.
Recommendations for Organizations
To combat this evolving threat landscape, defenders must enhance their strategies beyond simple domain checks. Organizations are urged to train users to decline any device authorization requests they did not initiate and avoid pasting one-time codes in response to unsolicited messages. Users should be encouraged to inspect full URLs carefully and check for redirect parameters like redirect_uri, return_url, or next, although such measures prove inadequate when the final interaction occurs on Microsoft’s authentically secured sites.
At the enterprise level, administrators are urged to evaluate the necessity of the Device Code Flow. If deemed non-essential, disabling this function through Conditional Access policies in Microsoft Entra ID should be considered. When these features are required, strict Conditional Access rules should be enforced. These include mandating device compliance, restricting permissible platforms and geographic IP regions, and stipulating session and token lifetime limits to minimize exposure to potential misuse.
Lastly, continuous monitoring of DeviceCodeSignIn events is crucial. Organizations should create alerts for any unusual approval patterns, unexpected usage of refresh tokens, and sign-ins originating from unfamiliar locations or applications. Implementing stringent token lifetime policies and rapidly revoking suspicious refresh tokens will significantly limit chances for prolonged unauthorized access.
By adopting these practices, organizations may better equip themselves against this sophisticated phish-based attack vector and safeguard their digital assets from falling prey to malicious actors.
