Jump to content
  • Be careful entering one-time codes in Microsoft's login flow, you could be getting phished


    Karlston

    • 23 views
    • 3 minutes
     Share


    • 23 views
    • 3 minutes

    Kaspersky has monitored a new phishing campaign where users put one-time codes into Microsoft's legit login flow, giving attackers account access.

    Kaspersky has outlined quite an interesting phishing campaign that utilizes Microsoft’s infrastructure while making the advice to double-check the domain name redundant. In this new attack, attackers are telling victims to put data directly into a legitimate and trusted corporate site, Microsoft Identity Platform, which supports the OAuth 2.0 spec Device Authorization Grant.

     

    According to the security company, the protocol was designed to make it easier to log in on smart TVs, IoT hardware, printers, and other input-constrained devices where typing is hard. The protocol requires users to enter a one-time code on an authentication page, but it is vulnerable to Device Code Phishing.

     

    Kaspersky said it monitored one of these types of phishing campaigns between April and May this year where attackers sent an email styled as a notice from a law firm. The email had a password-protected PDF file attached. After the victim opened the PDF and entered a password to open the file, they saw several documents which could be opened by clicking on a link.

     

    The attackers claimed that to access the documents via a fake service called LawConnect, you needed to request a one-time access code to “easily access” the documents. When hovering over the button, you can see a legitimate Microsoft login URL; however, the URL is crafted to redirect the user to a phishing website.

     

    After answering a few CAPTCHAs, which were likely deployed to stop security crawlers, the user is routed to a page that instructs them to copy a one-time code and then paste it into a legitimate code entry form from Microsoft. This gives access to the attacker's application, which previously generated the code the user just entered. Essentially, the malicious application now has access to the victim’s account.

     

    Kaspersky gives the following recommendations for defending against these types of phishing campaigns:

    • If you did not personally initiate a login request on an external device using the Microsoft Device Authorization Grant, do not approve the authorization request.
    • Never enter an authorization code received via unexpected emails or messages, even if the provided link points directly to an official Microsoft domain.
    • Threat actors frequently leverage open redirects on legitimate domains, appending parameters like redirect_uri, return_url, or next after the question mark (?) to point to a malicious destination. Before clicking any link, hover your cursor over it to inspect both the primary domain and any suspicious redirect parameters. Once the page loads, verify that the final URL actually matches the expected asset — this is the absolute minimum requirement before entering corporate credentials.

    The company also recommends that businesses evaluate if they need Device Code Flow within their corporate infrastructure. It should be disabled globally via the Conditional Access policies within Microsoft Entra ID if it isn’t absolutely needed. It also said that security teams can set up dedicated monitoring for DeviceCodeSignIn events and that they should strictly enforce device compliance states. Configuring alerts for anomalous sign-in behavior originating from unusual locations is also recommended.

     

    Source


    Hope you enjoyed this news post. Feedback welcome.

    Posted Tuesday 7 July 2026 at 8:31 am AEST (my time).

    News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of June) 2,475

    RIP Matrix


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...