Kaspersky Details Microsoft Device Code Phishing Attack Using OAuth Flow


device token malware microsoft
Image credit: Microsoft

Kaspersky has detailed a phishing campaign that abuses legitimate Microsoft infrastructure to trick users into granting access to their accounts.

The attack uses Microsoft Identity Platform and the OAuth 2.0 Device Authorization Grant, a legitimate sign-in flow designed for devices that cannot easily enter credentials. In this case, attackers use it for a technique known as Device Code Phishing.

How the Microsoft device code phishing attack works

In a normal Device Authorization Grant flow, a user receives a one-time code and enters it on a Microsoft authentication page. This lets the device complete sign-in.

In the phishing version, attackers generate the code first. They then convince the victim to enter that code on Microsoft’s real device login page.

That step makes the attack harder to detect. The victim lands on legitimate Microsoft infrastructure, but the authorization benefits the attacker’s malicious application.

Once the victim enters the code and approves the request, the attacker’s app can gain access to the Microsoft account.

Kaspersky monitored one such campaign between April and May.

Attackers sent emails that appeared to come from a law firm. The message included a password-protected PDF attachment, likely to make the email look more credible.

After opening the PDF, victims saw documents that appeared to require external access through links. The attackers claimed users needed a one-time access code to view the files through a fake service called LawConnect.

The campaign did not rely only on a fake login page. Instead, it pushed victims toward Microsoft’s legitimate device code entry page, which made the final authorization step appear safer than a normal phishing form.

Attackers abused Microsoft URLs and redirect tricks

Kaspersky said the phishing link could appear to point to a legitimate Microsoft login URL when users hovered over it.

However, the URL included redirect behavior that sent victims to a phishing website. That page showed several CAPTCHAs, likely to block automated security scanners and crawlers.

After passing the checks, victims saw instructions to copy a one-time code. They were then told to paste that code into Microsoft’s real device authorization form.

This is the key risk of Device Code Phishing. The victim may think they are following a secure Microsoft login process, while they are actually approving an attacker-controlled app.

Kaspersky urges users not to enter unexpected device codes

Kaspersky recommends that users avoid approving any Microsoft Device Authorization Grant request unless they personally started the sign-in process.

Users should never enter an authorization code received through an unexpected email, PDF, chat message, or website. This warning applies even when the link points to an official Microsoft domain.

Users should also inspect links carefully before opening them. Legitimate domains can still include suspicious redirect parameters, such as redirect_uri, return_url, or next.

After a page loads, users should confirm that the final URL matches the expected destination before entering corporate credentials or approving any account access request.

Businesses should review Device Code Flow access

Kaspersky also recommends that organizations evaluate whether they need Device Code Flow in their environment.

If the flow is not required, companies should disable it globally through Conditional Access policies in Microsoft Entra ID.

Security teams should monitor DeviceCodeSignIn events, enforce device compliance states, and configure alerts for unusual sign-in behavior.

Suspicious logins from unexpected locations should also be investigated quickly, especially when they involve unfamiliar applications or unexpected authorization flows.

Microsoft infrastructure remains a phishing target

This is not the first time attackers have abused trusted platforms for credential or token theft.

Recent reports have also highlighted attacks involving the ARToken platform, while Microsoft Teams infrastructure was recently explored by the Backdoor.Turn malware.

CISA has also warned about an exploited SharePoint flaw, showing that Microsoft-linked services remain a major target for attackers.

Via Neowin

More about the topics: Cybersecurity, microsoft

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

User forum

0 messages