Device Code Phishing Exploits Microsoft OAuth 2.0 Implementation

Device Code Phishing Exploits Microsoft OAuth 2.0 Implementation

First seen 6 Jul 2026, 09:41 UTC www.huntress.comSecurelistGbhackerswww.kaspersky.com 83% similarity 69.5

Article Content

Browse articles
ThreatCluster

A new phishing technique is exploiting the OAuth 2.0 Device Authorization Grant used by Microsoft. Attackers are tricking users into entering their credentials on a legitimate Microsoft site, thereby hijacking corporate accounts without needing passwords. This method leverages the one-time user code feature designed for input-constrained devices like smart TVs and IoT hardware. Victims are instructed to input codes on Microsoft's Identity Platform, making it difficult to detect fraudulent activity. The attack has raised alarms among cybersecurity experts, emphasizing the need for heightened awareness and protective measures against such tactics. Current defenses against this type of phishing are being discussed, but specific CVEs or tools were not mentioned in the articles.

Key Points: • Phishing attacks exploit Microsoft's OAuth 2.0 Device Authorization Grant. • Victims enter credentials on a legitimate Microsoft site, bypassing traditional phishing defenses. • Increased awareness and updated security measures are crucial to combat this emerging threat.

ThreatCluster AI

Timeline

2026-07-03
Device Code Phishing technique detailed
A case study highlights how Device Code Phishing exploits Microsoft's OAuth 2.0 implementation, affecting users of various input-constrained devices.
Huntress
2026-07-06
Phishing campaign reported
Securelist reports on a phishing campaign using Microsoft's Identity Platform to capture user credentials via legitimate URLs.
Securelist
2026-07-06
Phishing technique analysis published
Gbhackers details how attackers are using Microsoft's authentication flow to hijack corporate accounts without stealing passwords.
Gbhackers

Community

Browse all →