Device code phishing bypasses password stealing

What Happened

Cybercriminals are using a new phishing technique that tricks users into linking their Microsoft 365 accounts to an attacker's device, bypassing the need to steal passwords. The attack starts with a fake business email, like an estimate approval, which leads to a page asking the user to enter a code into a real Microsoft login window. If successful, the attacker gains full access to the victim's account. This is dangerous because the login prompts look completely legitimate and bypass standard security checks. Organizations should train employees to be highly suspicious of 'device code' prompts and monitor their networks for unusual device authorizations.

Key Takeaways

• Adversaries are actively abusing Microsoft's OAuth 2.0 Device Authorization Grant flow to bypass traditional password stealing and achieve account takeover.
• The phishing kit utilizes ClickFix-style landing pages that instruct victims to copy a verification code and enter it into a genuine Microsoft authentication popup.
• To evade string-based detection, the HTML landing pages are heavily obfuscated using invisible Unicode format characters (ZWS, WJ, ZWNJ).
• The attack coordinates the OAuth flow by beaconing the device code to the attacker's server via POST requests every four seconds.
• Network traffic analysis can identify the attack by correlating legitimate Microsoft authentication host resolutions with the distinct 4-second beaconing pattern.

Affected Systems

• Microsoft 365
• Microsoft Entra ID

Attack Chain

The attack begins with an email containing an HTML attachment that references an embedded lure image via a Content ID URL. Clicking the image redirects the victim to a ClickFix-style phishing landing page heavily obfuscated with Unicode characters. The page instructs the victim to copy a verification code and click a button, which opens a legitimate Microsoft OAuth 2.0 device login portal. As the victim enters the code and their credentials into the genuine Microsoft prompt, the phishing page continuously beacons the device code to the attacker's server, ultimately authorizing the attacker's device and granting access to the victim's Microsoft 365 account.

Detection Availability

• YARA Rules: Yes
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: ReversingLabs

A YARA rule is provided to detect the HTML landing page of the device code phishing kit by identifying Microsoft login URLs, invisible Unicode format characters, and a bit-shifted Entra ID security token string.

Detection Engineering Assessment

EDR Visibility: Low — The attack primarily occurs within the browser and abuses legitimate cloud authentication flows (OAuth), generating minimal endpoint artifacts other than standard browser network connections. Network Visibility: High — The attack relies on a specific sequence of DNS resolutions to Microsoft authentication endpoints combined with a distinct 4-second beaconing pattern to the phishing kit host. Detection Difficulty: Moderate — While the network pattern is distinct, correlating legitimate Microsoft authentication traffic with malicious beaconing requires advanced network telemetry and correlation capabilities.

Required Log Sources

• DNS Logs
• Web Proxy/Gateway Logs
• Microsoft Entra ID Sign-in Logs

Hunting Hypotheses

Control Gaps

• Standard credential phishing detection (bypassed since no passwords are stolen directly by the kit)
• String-based HTML scanning (bypassed via Unicode obfuscation)

Key Behavioral Indicators

• Presence of excessive Zero Width Space (ZWS), Word Joiner (WJ), and Zero Width Non-Joiner (ZWNJ) characters in HTML files.
• 4-second interval POST requests containing 'dc=' parameters during Microsoft authentication flows.
• Presence of the bit-shifted string 'EvoStsArtifacts' within URL-safe base64 encoded payloads.

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider blocking the provided phishing kit URLs and domains at the secure web gateway or firewall.
• If applicable, review Microsoft Entra ID sign-in logs for recent, anomalous Device Code grant authorizations and revoke suspicious sessions.

Infrastructure Hardening

• Evaluate whether the OAuth 2.0 Device Authorization Grant flow can be disabled or restricted in your Microsoft Entra ID tenant if not required for business operations.
• Consider implementing Conditional Access policies to restrict device code flow authentications to trusted networks or compliant devices.

User Protection

• If supported by your email security gateway, consider implementing rules to flag or quarantine HTML attachments containing excessive invisible Unicode characters.

Security Awareness

• Consider updating security awareness training to educate employees on the risks of 'Device Code' authentication prompts and how to recognize them.
• Instruct users to never enter a device code provided by a third-party website or email into a Microsoft login prompt.

MITRE ATT&CK Mapping

• T1566.001 - Phishing: Spearphishing Attachment
• T1528 - Steal Application Access Token
• T1027 - Obfuscated Files or Information
• T1071.001 - Application Layer Protocol: Web Protocols

Additional IOCs

• Domains:
  • ajz-gud[.]lisa-g-h-rn[.]workers[.]dev - Phishing infrastructure subdomain
  • baquelite[.]ventoraco[.]com - Phishing infrastructure domain
  • biotechgroup[.]p-oye8mc0f[.]workers[.]dev - Phishing infrastructure subdomain
  • corpexl[.]nl - Phishing infrastructure domain
  • creditora[.]me[.]uk - Phishing infrastructure domain
  • dentalstrategies[.]noventragroup[.]app - Phishing infrastructure domain
  • docxfile-share[.]itkljpqn[.]workers[.]dev - Phishing infrastructure subdomain
  • horizonex[.]it[.]com - Phishing infrastructure domain
  • logvault[.]us - Phishing infrastructure domain
  • metroraco[.]com - Phishing infrastructure domain
  • sparkaxis[.]org - Phishing infrastructure domain
  • taskvault[.]nl - Phishing infrastructure domain
  • wgmilshyvn[.]workers[.]dev - Phishing infrastructure subdomain
• Urls:
  • hxxp://baquelite[.]ventoraco[.]com/doc98374/ - Phishing kit URL
  • hxxp://biotechgroup[.]p-oye8mc0f[.]workers[.]dev/ - Phishing kit URL
  • hxxp://creditora[.]me[.]uk/HPDGassocies - Phishing kit URL
  • hxxp://dentalstrategies[.]noventragroup[.]app/dntrategie/ - Phishing kit URL
  • hxxp://docxfile-share[.]itkljpqn[.]workers[.]dev/ - Phishing kit URL
  • hxxp://horizonex[.]it[.]com/securedocument - Phishing kit URL
  • hxxp://logvault[.]us/jfkydg4of/ - Phishing kit URL
  • hxxp://metroraco[.]com/GroupeBergeron/ - Phishing kit URL
  • hxxp://mysharereport[.]wgmilshyvn[.]workers[.]dev/ - Phishing kit URL
  • hxxp://osoxsl[.]taskvault[.]nl/binsfe - Phishing kit URL
  • hxxp://sparkaxis[.]org/deployment/ - Phishing kit URL
  • hxxps://accounting[.]wgmilshyvn[.]workers[.]dev/ - Phishing kit URL
  • hxxps://agreement[.]primeforgeco[.]org/document/ - Phishing kit URL
  • hxxps://corpexl[.]nl/invoice/ - Phishing kit URL
  • hxxps://login[.]growthora[.]app/document/ - Phishing kit URL