Attackers hijack Microsoft 365 accounts using Microsoft's own login page

Security researchers are warning about a phishing method that never sends victims to a fake website. Instead, targets are coaxed into typing an attacker-supplied one-time code directly into Microsoft's own genuine sign-in page, which quietly hands the attacker full access to the victim's Microsoft 365 mailbox, OneDrive files, and Teams chats.

The campaign was documented by Roman Dedenok at Kaspersky's Securelist, who observed it running from early April to mid-May 2026. It abuses a legitimate feature called the OAuth 2.0 Device Authorization Grant (also known as Device Code Flow), which was built so input-limited gadgets like smart TVs, printers, and IoT hardware can sign in. Normally the device shows a short code, you enter that code at microsoft[.]com/devicelogin from your phone or laptop, and the device is authorized. Attackers have turned that convenience into an account-takeover tool.

How the attack works

The attacker first asks Microsoft for a device code of their own, then races to get a victim to approve it. In the campaign Securelist analysed, the lure was an email posing as a law firm with a password-protected PDF attached. Opening the PDF revealed a list of documents, but viewing them meant clicking a link. That link pointed at a real Microsoft address whose parameters redirected the victim onward, through several CAPTCHAs meant to screen out security scanners, to a page that told them to copy a one-time code. Clicking the code copied it to the clipboard and sent the user to Microsoft's real authentication page, where they pasted it and completed the login, multi-factor prompt and all. At that moment Microsoft issued the session tokens to the attacker's waiting server, not to any device the victim owned.

Because the victim genuinely signs in on Microsoft's real page, the usual advice to check the domain offers no protection, and the multi-factor step is satisfied by the victim themselves. The stolen refresh token then lets the attacker stay logged in for a long time without needing the password again.

Who is being targeted

Securelist says the operators are still actively running the technique and adapting it by region. A newer variant aimed at users in Brazil swapped the legal-themed PDF for an email about a fake order or quote, using an open redirect on the legitimate diagramming site cacoo[.]com to bounce victims to the same code-harvesting page. Expect other trusted domains that carry open redirects to be abused the same way.

What you should do

Never enter a Microsoft device code that arrived in an unexpected email or message, even if the link genuinely lands on a Microsoft domain, and do not approve a device sign-in you did not start yourself. Administrators should decide whether the Device Code Flow is needed at all; if it is not, block it globally with a Conditional Access policy in Microsoft Entra ID. Security teams should monitor for DeviceCodeSignIn events and alert on sign-ins from unusual locations. Salient indicators include legal or invoice themed lures with password-protected PDFs, redirects through legitimate hosts such as cacoo[.]com, and the device-code endpoints login[.]microsoftonline[.]com/{tenant}/oauth2/v2[.]0/devicecode and its matching /token endpoint.

The campaign adds to a run of device-code abuse IntelFusions has tracked, from a phishing-as-a-service kit that steals Microsoft 365 logins and survives MFA to Russia's APT29 abusing the same flow in watering-hole attacks. You can read the original report from Securelist for the full technical breakdown.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions