Skip to content
July 13, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Cybercriminals
  • Device Code Phishing: Microsoft 365 Attack That Steals No Passwords
  • Cybercriminals

Device Code Phishing: Microsoft 365 Attack That Steals No Passwords

Do Son June 20, 2026 3 minutes read
0
hack
Add Daily CyberSecurity as a preferred source on Google

A clever new phishing technique skips the password entirely. ReversingLabs has uncovered an active device code phishing campaign that hijacks Microsoft 365 accounts. Instead of faking a login page, the attackers abuse a real Microsoft sign-in flow. As the researchers put it, the kit “abuses Microsoft’s legitimate OAuth 2.0 Device Authorization Grant flow.”

No Password Required

This is what makes the attack so dangerous. “Rather than stealing passwords through a counterfeit login page,” the kit takes a different route. It “persuades victims to complete a legitimate Microsoft authentication process that authorizes an attacker-controlled device.” In short, the victim hands over access without ever leaking a password.

Because the login happens on real Microsoft pages, classic warning signs vanish. There is no fake domain to spot. No suspicious certificate raises a flag either. Consequently, even careful users can fall for it.

A Technique on the Rise

Device code phishing is not entirely new. The OAuth 2.0 device flow normally helps smart TVs and command-line tools log in. However, attackers have learned to twist it for account theft. Over the past year, both criminal and state-aligned groups have embraced the tactic. Phishing-as-a-service kits have lowered the bar even further. This RL campaign shows how polished those operations have become.

How the Attack Unfolds

The lure arrives as a business email. It poses as a vendor estimate awaiting approval. Notably, the message hides its image behind a clickable HTML attachment. One click sends the victim to a polished, ClickFix-style landing page.

There, a “Review Document” button reveals a verification code. The page then tells the victim to copy that code and sign in with Microsoft. Crucially, the sign-in popup is genuine. It lives on Microsoft’s own aka.ms/devicelogin entry point.

When the victim enters the code, they unknowingly approve the attacker’s device. From that moment, the criminal holds a valid token for the Microsoft 365 account. A later Microsoft prompt even names the “Microsoft Authentication Broker” and “another device” a subtle clue something is wrong. As a result, the account takeover completes silently.

Device code phishing flow abusing Microsoft 365 OAuth device authorization for account takeover
Microsoft Authentication Broker username prompt | Image:

Built to Dodge Detection

The phishing kit also works hard to stay hidden. For instance, it sprinkles invisible Unicode characters through its code. These zero-width spaces split red-flag words like “Verify” and “Microsoft.” Therefore, simple string-matching scanners miss them.

Behind the scenes, the kit beacons constantly. It sends the device code to its server every four seconds. This loop keeps the attacker’s OAuth flow in sync with the victim. The kit also routes through Akamai-hosted Microsoft URLs, which boosts its air of legitimacy.

How to Spot Device Code Phishing

Detection is still possible, however. RL notes that “the Microsoft authentication alone is not malicious.” Yet pairing that login with four-second beaconing exposes the scheme. So network defenders should hunt for that telltale traffic pattern. Security teams can also watch for the specific hostname-resolution sequences RL documented.

For users, the rule is simple. Treat any unsolicited code you are told to enter at a Microsoft prompt as suspicious. Microsoft’s own dialog even warns, “Do not enter codes from sources you don’t trust.” User training that focuses only on URLs will not catch this.

Device code phishing represents a growing threat, and it will not be the last campaign of its kind. Above all, organizations should review Entra ID sign-in logs for unexpected device code grants.

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.


We respect your inbox. Unsubscribe anytime.

Related coverage

  • GreedyBear Unmasked: How Stealthy Firefox Extensions and Fake Sites Stole $1M in Crypto
  • Proofpoint Exposes TA2900: French-Speaking BEC Actor Exploits Rental Payment System
  • North Korea’s AI-Powered Cybercrime: Deepfakes & Fake Personas Infiltrate 300+ US Companies via Remote IT Jobs
  • The Fake “RedLine”: Imposter Malware Hijacks Crypto Wallets on Discord
  • “Curly COMrades” Group Unmasked: Russian Threat Actors Deploy New Backdoor in Geopolitical Espionage Campaign
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Account Takeover Device Authorization Grant Device Code Phishing Microsoft 365 OAuth phishing ReversingLabs

Leave a Reply Cancel reply

You must be logged in to post a comment.

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-1207CVSS 5.4
    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on...
    Admin intel📅 Updated: Jul 10, 2026
  • CVE-2026-48939CVSS 10.0
    A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-56291CVSS 10.0
    The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-55255CVSS 8.4
    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-48908
    A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-56290
    The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image: `REVERSE_PROXY_TRUSTED_PROXIES = *` default lets any source IP impersonate any user via `X-WEBAUTH-USER`
    Admin intel📅 Updated: Jul 6, 2026
  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intelCISA KEV📅 Added to KEV: Jul 7, 2026📅 Updated: Jul 3, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-14453CVSS 9.6
    This vulnerability is a critical Server-Side Template Injection (SSTI) in Centreon's centreon-open-tickets...
  • CVE-2026-59518CVSS 9.8
    Deserialization of Untrusted Data vulnerability in wpWax Directorist directorist allows Object Injection.This...
  • CVE-2026-59515CVSS 9.3
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
  • CVE-2026-57813CVSS 9.8
    Incorrect Privilege Assignment vulnerability in properfraction MailOptin mailoptin allows Privilege Escalation.This issue...
  • CVE-2026-57811CVSS 10.0
    Improper Control of Generation of Code ('Code Injection') vulnerability in Realtyna Realtyna...
  • CVE-2026-57770CVSS 9.8
    Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Photography grandphotography allows Object...
  • CVE-2026-57744CVSS 9.8
    Deserialization of Untrusted Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions...
  • CVE-2026-57739CVSS 9.3
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
  • CVE-2026-57738CVSS 9.8
    Deserialization of Untrusted Data vulnerability in axiomthemes 777 triple-seven allows Object Injection.This...
  • CVE-2026-57726CVSS 9.3
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.