Attackers abused Microsoft’s OAuth 2.0 Device Authorization Grant flow to phish users into authorizing attacker-controlled sessions on legitimate Microsoft login pages, allowing them to capture access tokens, refresh tokens, and ID tokens without stealing passwords directly. In the observed campaign, victims received phishing emails, were routed through phishing landing pages and open redirects, and were told to enter attacker-supplied one-time device codes on Microsoft’s official device verification page before completing MFA.
The stolen tokens enabled access to Microsoft 365 services including email, OneDrive, and Teams. Researchers also observed a Brazil-focused variant that used cacoo.com, a legitimate Nulab-owned service, as an open redirect to phishing infrastructure. Recommended mitigations include training users to reject unsolicited device-code requests, reviewing redirect parameters and final destinations, monitoring DeviceCodeSignIn events, enforcing device-compliance controls, and disabling Device Code Flow in Microsoft Entra ID where it is not required.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
The article describes a geographically adapted variant targeting users in Brazil that used cacoo.com, a legitimate Nulab-owned service, as an open redirect to phishing infrastructure. This variant was part of the broader device code phishing activity discussed in the report.
Securelist reported an observed phishing campaign that abused Microsoft’s OAuth 2.0 Device Authorization Grant flow to trick victims into authenticating attacker-controlled sessions on legitimate Microsoft login pages. The campaign was observed from early April to mid-May 2026 and resulted in attackers obtaining access, refresh, and ID tokens for Microsoft 365 resources.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
1 reference tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.