THREAT OPS › Threat News › When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website
When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website
<p><img alt="" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/07/03170147/Device-Code-Phishing-pingpongsuperman_A_fisherman_hacker_is_fishing_using_a_large_TV_261a6841-d900-4140-bffd-0f2f596e9977-990x400.jpg" width="990" /></p><p>One of the most common pieces of anti-phishing
MITRE ATT&CK techniques
- CredentialsT1589.001
- Conditional Access PoliciesT1556.009
- Malicious LinkT1204.001
- Malicious LinkAML.T0011.003
Indicators of compromise
- https://login.microsoftonline.com/{tenant}/oauth2/v2.0/devicecodeurl
- https://login.microsoftonline.com/%7btenant%7d/oauth2/v2.0/tokenurl
- https://login.microsoftonline.com/{tenant}/oauth2/v2.0/tokenurl
- https://www.kaspersky.com/enterprise-security/mail-server-security?icid=kl-ru_sl_post-ksms_sm-team_28043507eef1c27burl
- https://www.kaspersky.com/premium?icid=kl-ru_sl_post-kprem_sm-team_0239623e36ba5b4furl
- media.kasperskycontenthub.comdomain
- cacoo.comdomain
Original source: https://securelist.com/microsoft-device-code-phishing-attack/120350/