A phishing campaign abused Microsoft's OAuth 2.0 Device Authorization Grant (Device Code Flow) to capture valid Microsoft account tokens without sending victims to a counterfeit login page. Victims received emails posing as legal notifications, including password-protected PDF attachments, and were funneled through phishing pages that displayed a one-time device code before directing them to the legitimate microsoft.com/devicelogin page. After victims entered the code and completed normal MFA on Microsoft's real site, the attackers obtained access_token, refresh_token, and id_token values tied to attacker-controlled applications.
The stolen tokens enabled persistent access to Microsoft services including email, OneDrive, and Teams, allowing attackers to read messages, access files, and monitor conversations. Researchers said the activity was observed from early April to mid-May 2026 and included a Brazil-focused variant that used legitimate redirect links, including on cacoo.com, to add credibility to the lure chain. Defenders were urged to reject unexpected device authorization prompts, inspect redirect parameters in otherwise legitimate URLs, disable Device Code Flow in Microsoft Entra ID where it is not needed, and monitor DeviceCodeSignIn and anomalous sign-in activity for signs of compromise.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
From late June 2026 into early July, attackers used collaboration-, payment-, and shared-folder-themed lures to drive victims through Microsoft's legitimate device login flow via a compromised Croatian rental website. ZeroBEC linked the activity to reusable DEBULL phishing infrastructure, with overlap to Storm-2372 tradecraft and likely use of GraphSpy or related post-exploitation tooling.
A related variant adapted the same device code phishing technique for Brazilian targets. It used lures that abused legitimate redirect links on cacoo.com to route victims into the attack flow.
After victims completed normal Microsoft authentication and MFA, the attackers received access_token, refresh_token, and id_token values. These tokens enabled ongoing access to Microsoft services including email, OneDrive, and Teams.
From early April to mid-May 2026, attackers ran a phishing campaign abusing Microsoft's OAuth 2.0 Device Authorization Grant flow. Victims were lured with legal-notification-themed emails and redirected to enter a one-time device code on the legitimate microsoft.com/devicelogin page.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
thehackernews.com
Open sourcecybersecuritynews.com
Open sourcesecurelist.ru
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.