Device Code Flow Exploit Lets Attackers Hijack Microsoft Accounts via Real Login Page

Attackers are exploiting Microsoft's Device Authorization Grant feature to steal account tokens without using a fake login page, bypassing traditional phishing warnings.

CSBadmin
3 Min Read

How the Attack Works

A new phishing campaign is exploiting a legitimate Microsoft authentication feature called Device Authorization Grant, commonly known as Device Code Flow. This feature is designed for devices without keyboards to log into an account using a code entered on a nearby phone. Attackers have repurposed this flow to trick victims into handing over account tokens without ever seeing a fake login page.

The attack begins with an email disguised as a law firm notice containing a password protected PDF attachment. Once opened, the PDF leads victims through pages that connect them to Microsoft’s genuine login system. Victims are asked to copy a one time code and paste it into the real Microsoft authentication page. Unbeknownst to them, the attacker’s system had already requested this code from Microsoft’s servers. Once the victim approves it, the attacker receives access tokens that allow reading and sending emails, pulling files from OneDrive, and viewing Teams conversations without needing a password.

Impact and Wider Scope

Researchers from Securelist identified this campaign running from April to mid May 2026. The technique is particularly dangerous because it bypasses the standard advice to check a website’s address before entering credentials. Since the final login screen is authentic, even careful users can be fooled, and multi factor authentication offers little protection once the code is approved.

The same group has adapted its approach for different regions, including a variant targeting users in Brazil that swapped the PDF for a link through a legitimate diagramming website. This variant still routed victims to the same one time code screen and genuine Microsoft login page, demonstrating the method can be reshaped for different audiences while keeping its core trick intact. To defend against this attack, users should never approve a device login request they did not personally start. Organizations should review whether Device Code Flow is needed for daily work and disable it via Conditional Access policies if it serves no purpose. Security teams should monitor for DeviceCodeSignIn events, enforce device compliance rules, and set alerts for sign ins from unusual locations.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.