A novel phishing strategy is enabling attackers to obtain Microsoft account tokens without relying on counterfeit websites. This tactic leverages a legitimate Microsoft authentication feature, granting access to emails, files, and chat messages.
Exploiting Legitimate Login Features
This approach is particularly effective as victims remain on the authentic Microsoft login platform throughout the attack. The scheme targets the Device Authorization Grant, also known as the Device Code Flow, which is intended for devices like smart TVs or printers to log in using a code entered on a nearby device. Attackers have discovered a method to manipulate this feature.
Securelist researchers uncovered a campaign active from April to mid-May 2026, utilizing this method against unsuspecting users. The attack commenced with an email masquerading as a legal notice from a law firm, containing a password-protected PDF designed to appear legitimate.
Mechanics of the Phishing Attack
Once the PDF is opened, it directs victims through a process that involves Microsoft’s real login system, albeit with a deceptive twist. Victims are instructed to copy a one-time code into the authentic Microsoft authentication page, inadvertently granting attackers control of their accounts.
This method circumvents common security advice, as users are directed to a genuine login page, making it difficult to detect the scam. Even multi-factor authentication is ineffective once the code is approved.
Campaign Variants and Protection Measures
The attack doesn’t stop at a single campaign. Securelist reports that the attackers have adapted their strategy for various regions, including a version targeting Brazilian users, which substitutes the PDF with a link from a reputable diagramming site. The core of the attack remains unchanged, demonstrating its adaptability.
To safeguard against such threats, users should never approve device login requests they did not initiate, regardless of how authentic the email or website seems. Codes from unexpected messages should also be avoided, even if the link appears to lead to a legitimate Microsoft domain.
Organizations are advised to evaluate the necessity of the Device Code Flow for their operations and disable it if unnecessary through Conditional Access policies. Monitoring DeviceCodeSignIn events and implementing device compliance rules can further bolster security.
For enhanced protection, security teams should combine these measures with robust email security systems that filter both personal and business communications, providing a more comprehensive defense against this form of phishing attack.
