Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Microsoft Login Exploit Used in New Phishing Attacks

Microsoft Login Exploit Used in New Phishing Attacks

Posted on July 6, 2026 By CWS

A novel phishing strategy is enabling attackers to obtain Microsoft account tokens without relying on counterfeit websites. This tactic leverages a legitimate Microsoft authentication feature, granting access to emails, files, and chat messages.

Exploiting Legitimate Login Features

This approach is particularly effective as victims remain on the authentic Microsoft login platform throughout the attack. The scheme targets the Device Authorization Grant, also known as the Device Code Flow, which is intended for devices like smart TVs or printers to log in using a code entered on a nearby device. Attackers have discovered a method to manipulate this feature.

Securelist researchers uncovered a campaign active from April to mid-May 2026, utilizing this method against unsuspecting users. The attack commenced with an email masquerading as a legal notice from a law firm, containing a password-protected PDF designed to appear legitimate.

Mechanics of the Phishing Attack

Once the PDF is opened, it directs victims through a process that involves Microsoft’s real login system, albeit with a deceptive twist. Victims are instructed to copy a one-time code into the authentic Microsoft authentication page, inadvertently granting attackers control of their accounts.

This method circumvents common security advice, as users are directed to a genuine login page, making it difficult to detect the scam. Even multi-factor authentication is ineffective once the code is approved.

Campaign Variants and Protection Measures

The attack doesn’t stop at a single campaign. Securelist reports that the attackers have adapted their strategy for various regions, including a version targeting Brazilian users, which substitutes the PDF with a link from a reputable diagramming site. The core of the attack remains unchanged, demonstrating its adaptability.

To safeguard against such threats, users should never approve device login requests they did not initiate, regardless of how authentic the email or website seems. Codes from unexpected messages should also be avoided, even if the link appears to lead to a legitimate Microsoft domain.

Organizations are advised to evaluate the necessity of the Device Code Flow for their operations and disable it if unnecessary through Conditional Access policies. Monitoring DeviceCodeSignIn events and implementing device compliance rules can further bolster security.

For enhanced protection, security teams should combine these measures with robust email security systems that filter both personal and business communications, providing a more comprehensive defense against this form of phishing attack.

Cyber Security News Tags:Authentication, Brazil, Conditional Access, cyber threats, Cybersecurity, device code flow, DeviceCodeSignIn, email security, login exploit, Microsoft, multi-factor authentication, phishing attack, Securelist, SOC, token theft

Post navigation

Previous Post: Armored Likho APT Threatens Global Government Sectors
Next Post: Linux KVM Bug Risks Host Security on Intel and AMD

Related Posts

Google and FBI Disrupt NetNut Proxy Network Exploiting Devices Google and FBI Disrupt NetNut Proxy Network Exploiting Devices Cyber Security News
Canva Down – Suffers Global Outage, Leaving Millions of Users Inaccessible Canva Down – Suffers Global Outage, Leaving Millions of Users Inaccessible Cyber Security News
Russian Ransomware Operator Sentenced to 102 Months Russian Ransomware Operator Sentenced to 102 Months Cyber Security News
CISA Adds Fortinet Vulnerability to KEV Catalog After Active Exploitation CISA Adds Fortinet Vulnerability to KEV Catalog After Active Exploitation Cyber Security News
RondoDoX Botnet Weaponizing a Critical React2Shell Vulnerability to Deploy Malware RondoDoX Botnet Weaponizing a Critical React2Shell Vulnerability to Deploy Malware Cyber Security News
CISA Alerts to Exploited SolarWinds Serv-U Vulnerability CISA Alerts to Exploited SolarWinds Serv-U Vulnerability Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark