When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website
Attackers are abusing Microsoft's legitimate Device Authorization Grant (OAuth 2.0 Device Code Flow) to conduct phishing attacks that bypass traditional URL-based anti-phishing defenses. By pre-fetching a device code from Microsoft's identity platform and tricking victims into entering it on the genuine login.microsoftonline.com page, attackers harvest access and refresh tokens that grant persistent access to the victim's Microsoft 365 account. Two campaign variants were observed: one using password-protected PDF attachments impersonating a law firm, and another targeting Brazilian users via open redirects on cacoo.com.
- domainallegianceinvestigators[.]comSender domain used in the law firm Device Code Phishing campaign
- emailpatm[@]allegianceinvestigators[.]comSender email address used in the law firm impersonation phishing campaign delivering password-protected PDF with malicious link
Detection / Hunteropenrouter
What Happened
Attackers have found a way to steal access to Microsoft accounts by abusing a legitimate Microsoft login feature designed for devices like smart TVs that don't have keyboards. The attacker gets a one-time code from Microsoft, sends it to the victim in a phishing email, and tricks the victim into entering that code on Microsoft's real website. When the victim completes the login (including multi-factor authentication) on the genuine Microsoft page, the attacker secretly receives login tokens that let them read emails, access files, and monitor Teams conversations — all without needing the victim's password. This affects any organization using Microsoft 365. It matters because the victim is logging into the real Microsoft website, so standard advice like 'check the URL' doesn't help. Organizations should consider disabling the Device Code Flow feature if they don't need it, and monitor for suspicious device-code sign-in activity.
Key Takeaways
- Attackers abuse Microsoft's legitimate Device Authorization Grant (OAuth 2.0) flow to trick victims into authenticating on the real login.microsoftonline.com page, bypassing traditional anti-phishing URL checks.
- The attacker pre-fetches a device code from Microsoft, presents it to the victim via a phishing page, and the victim completes MFA on the genuine Microsoft portal — granting the attacker access_token, refresh_token, and id_token.
- Two campaign variants observed: one using password-protected PDF attachments impersonating a law firm (April–May 2026), and another targeting Brazilian users via embedded links abusing cacoo.com as an open redirect.
- Refresh tokens enable long-term persistence without further user interaction, allowing attackers to read/send emails, exfiltrate OneDrive files, and access Teams conversations.
- Defenders can disable Device Code Flow via Conditional Access policies in Microsoft Entra ID if not business-required, and monitor DeviceCodeSignIn events for anomalous activity.
Affected Systems
- Microsoft Entra ID / Azure AD tenants
- Microsoft 365 services (Exchange Online, OneDrive, Teams)
- Any organization where Device Code Flow is enabled
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: Phishing email delivered with password-protected PDF attachment (law firm lure) or embedded link (Brazilian variant)
- Redirection: Victim clicks link inside PDF or email; link uses legitimate domain (login.microsoftonline.com or cacoo.com) with redirect parameters to route to attacker-controlled phishing infrastructure
- Code Generation: Attacker's server-side application pre-fetches a device code by POSTing to https://login.microsoftonline.com/\{tenant\}/oauth2/v2.0/devicecode
- User Interaction: Phishing page displays the one-time code and redirects victim to legitimate Microsoft device login page (microsoft.com/devicelogin) where victim pastes code and completes MFA
- Token Harvest: Attacker polls token endpoint and receives access_token, refresh_token, and id_token upon victim's successful authentication
- Persistence & Exfiltration: Attacker uses refresh_token for persistent access to read/send emails, exfiltrate OneDrive files, and access Teams conversations
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules or queries. It recommends monitoring DeviceCodeSignIn events in Microsoft Entra ID and configuring Conditional Access policies, but does not include ready-to-use detection logic.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Low | The attack primarily occurs through browser-based interaction with legitimate Microsoft domains and OAuth token exchange at the API level. EDR telemetry would show browser activity but not the OAuth flow details or token theft itself. |
| Network Visibility | Medium | Network monitoring could detect POST requests to the Microsoft devicecode and token endpoints, but since these are legitimate Microsoft domains, distinguishing malicious from benign device code flows requires correlation with user behavior and context. |
| Detection Difficulty | Hard | The attack leverages entirely legitimate Microsoft infrastructure and OAuth flows. Distinguishing a malicious Device Code Flow from a legitimate one (e.g., a smart TV login) requires behavioral analysis of sign-in patterns, geographic anomalies, and correlation with phishing email telemetry. |
Required Log Sources
- Microsoft Entra ID sign-in logs (DeviceCodeSignIn events)
- Microsoft 365 audit logs (mailbox access, OneDrive access, Teams activity)
- Conditional Access policy logs
- Email security gateway logs (for phishing email detection)
- Web proxy logs (for redirect chain analysis)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for DeviceCodeSignIn events in Microsoft Entra ID where the initiating user has no history of device code authentication, as this may indicate a phishing-induced flow. | Microsoft Entra ID sign-in logs filtered for authenticationProtocol == 'deviceCode' | Credential Access | Medium — legitimate users may use device code flow for smart TVs, IoT devices, or CLI tools like Azure CLI for the first time. |
| Consider hunting for access token usage from IP addresses or geolocations inconsistent with the user's normal sign-in patterns shortly after a DeviceCodeSignIn event. | Microsoft Entra ID sign-in logs correlated with subsequent resource access logs (Exchange, OneDrive, Teams) | Persistence / Exfiltration | Low to Medium — travel scenarios could trigger false positives, but combined with device code flow context, risk decreases. |
| Consider hunting for refresh token usage patterns where tokens are exchanged from unexpected client applications or user agents that differ from the user's typical device profile. | Microsoft Entra ID token refresh logs including client_app_id and user_agent fields | Persistence | Medium — users may switch devices or applications, but a sudden change combined with a preceding device code sign-in is suspicious. |
| Consider hunting for phishing emails containing links to login.microsoftonline.com with redirect parameters (redirect_uri, return_url, next) that point to non-Microsoft destinations. | Email security gateway logs and URL rewriting logs | Initial Access | Low — legitimate Microsoft links with redirect parameters to external sites are uncommon in corporate email. |
Control Gaps
- Traditional URL-based anti-phishing controls fail because the victim interacts with legitimate Microsoft domains
- MFA does not prevent this attack because the victim completes MFA on the genuine Microsoft page
- Email security gateways may not flag emails containing links to legitimate domains like cacoo.com or login.microsoftonline.com
- Conditional Access policies that do not explicitly restrict Device Code Flow leave this attack vector open
Key Behavioral Indicators
- DeviceCodeSignIn events for users with no prior history of device code authentication
- Email links pointing to login.microsoftonline.com/oauth2/v2.0/authorize with redirect parameters to external domains
- Links to cacoo.com used as open redirects in phishing emails
- Password-protected PDF attachments with password '0000' in law firm impersonation emails
- Refresh token exchanges from unexpected client applications or geolocations following a DeviceCodeSignIn event
- Access patterns to Exchange, OneDrive, or Teams from new IP addresses shortly after device code authentication
False Positive Assessment
Medium — Device Code Flow is legitimately used by smart TVs, IoT devices, printers, and CLI tools like Azure CLI. Distinguishing malicious from benign usage requires behavioral baselining and correlation with phishing telemetry. However, the specific phishing indicators (law firm impersonation, cacoo.com redirects, password-protected PDFs with password '0000') have lower false positive rates.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider reviewing recent Microsoft Entra ID DeviceCodeSignIn events for any signs of compromise, especially for users who received suspicious emails.
- If Device Code Flow is not required for business operations, consider disabling it globally via Conditional Access policies in Microsoft Entra ID.
- If disabling globally is not feasible, consider restricting Device Code Flow to specific compliant devices or user groups only.
- Consider blocking or flagging emails from the sender domain allegianceinvestigators.com in your email security gateway.
Infrastructure Hardening
- Evaluate whether your Conditional Access policies enforce device compliance requirements for all authentication methods, including device code flow.
- Consider implementing location-based Conditional Access policies that block device code sign-ins from unexpected geographies.
- If supported by your email security platform, consider enabling enhanced scanning for password-protected PDF attachments.
- Consider configuring alerts for anomalous Microsoft 365 access patterns (new IP, new geolocation, unusual client app) following any device code authentication event.
User Protection
- Consider deploying email security solutions capable of inspecting password-protected attachments and analyzing redirect chains within legitimate domains.
- If applicable, consider enabling Microsoft Defender for Office 365 anti-phishing policies with impersonation protection for legal and corporate domains.
- Evaluate whether your web proxy can inspect and block redirect chains that route through legitimate domains to known phishing infrastructure.
Security Awareness
- Consider adding Device Code Phishing awareness to existing security training programs, emphasizing that legitimate Microsoft pages can be abused in attacks.
- Advise users never to enter authentication codes received via unexpected emails or messages, even if the link points to an official Microsoft domain.
- Encourage users to hover over links to inspect both the primary domain and redirect parameters before clicking, and to verify the final URL matches expectations.
- Consider reminding users that they should only enter device codes when they personally initiated a login on an external device (e.g., smart TV, CLI tool).
MITRE ATT&CK Mapping
Initial Access
Additional IOCs
- File Paths:
Secure_Documents_from_[redacted].pdf- Password-protected PDF attachment (password: 0000) used in law firm phishing campaign; contained link that redirected to Device Code Phishing landing page
- Other:
ECLC9L9ME- Example device code displayed on phishing landing page in law firm campaign; ephemeral but illustrates the attack patternFYENFRM8R- Example device code displayed on phishing landing page in Brazilian campaign; ephemeral but illustrates the attack pattern