Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Microsoft Login Exploit Used in New Phishing Attacks

Microsoft Login Exploit Used in New Phishing Attacks

Posted on July 6, 2026 By CWS

A novel phishing strategy is enabling attackers to obtain Microsoft account tokens without relying on counterfeit websites. This tactic leverages a legitimate Microsoft authentication feature, granting access to emails, files, and chat messages.

Exploiting Legitimate Login Features

This approach is particularly effective as victims remain on the authentic Microsoft login platform throughout the attack. The scheme targets the Device Authorization Grant, also known as the Device Code Flow, which is intended for devices like smart TVs or printers to log in using a code entered on a nearby device. Attackers have discovered a method to manipulate this feature.

Securelist researchers uncovered a campaign active from April to mid-May 2026, utilizing this method against unsuspecting users. The attack commenced with an email masquerading as a legal notice from a law firm, containing a password-protected PDF designed to appear legitimate.

Mechanics of the Phishing Attack

Once the PDF is opened, it directs victims through a process that involves Microsoft’s real login system, albeit with a deceptive twist. Victims are instructed to copy a one-time code into the authentic Microsoft authentication page, inadvertently granting attackers control of their accounts.

This method circumvents common security advice, as users are directed to a genuine login page, making it difficult to detect the scam. Even multi-factor authentication is ineffective once the code is approved.

Campaign Variants and Protection Measures

The attack doesn’t stop at a single campaign. Securelist reports that the attackers have adapted their strategy for various regions, including a version targeting Brazilian users, which substitutes the PDF with a link from a reputable diagramming site. The core of the attack remains unchanged, demonstrating its adaptability.

To safeguard against such threats, users should never approve device login requests they did not initiate, regardless of how authentic the email or website seems. Codes from unexpected messages should also be avoided, even if the link appears to lead to a legitimate Microsoft domain.

Organizations are advised to evaluate the necessity of the Device Code Flow for their operations and disable it if unnecessary through Conditional Access policies. Monitoring DeviceCodeSignIn events and implementing device compliance rules can further bolster security.

For enhanced protection, security teams should combine these measures with robust email security systems that filter both personal and business communications, providing a more comprehensive defense against this form of phishing attack.

Cyber Security News Tags:Authentication, Brazil, Conditional Access, cyber threats, Cybersecurity, device code flow, DeviceCodeSignIn, email security, login exploit, Microsoft, multi-factor authentication, phishing attack, Securelist, SOC, token theft

Post navigation

Previous Post: Armored Likho APT Threatens Global Government Sectors
Next Post: Linux KVM Bug Risks Host Security on Intel and AMD

Related Posts

Microsoft 365 Direct Send Weaponized to Bypass Email Security Defenses Microsoft 365 Direct Send Weaponized to Bypass Email Security Defenses Cyber Security News
Secret Blizzard Group’s ApolloShadow Malware Install Root Certificates on Devices to Trust Malicious Sites Secret Blizzard Group’s ApolloShadow Malware Install Root Certificates on Devices to Trust Malicious Sites Cyber Security News
Fired Intel Engineer Stolen 18,000 Files Many of which Were Classified as “Top Secret” Fired Intel Engineer Stolen 18,000 Files Many of which Were Classified as “Top Secret” Cyber Security News
FancyBear Security Breach Uncovers NATO Espionage Efforts FancyBear Security Breach Uncovers NATO Espionage Efforts Cyber Security News
Kimsuky Hackers Exploit LNK, JSE Lures Against Key Sectors Kimsuky Hackers Exploit LNK, JSE Lures Against Key Sectors Cyber Security News
UK Government Sets Timeline to Replace Passwords With Passkeys UK Government Sets Timeline to Replace Passwords With Passkeys Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection
  • Gitea Vulnerability Exploited Actively, Experts Alert

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection
  • Gitea Vulnerability Exploited Actively, Experts Alert

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark