Device Code Phishing Abuses Microsoft OAuth 2.0 to Steal Tokens

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Key Takeaways
  • Campaign Window: The phishing campaign ran from early April to mid-May 2026, using a law firm-style email with a password-protected PDF attachment.
  • Token Theft: Attackers redirect victims to official Microsoft pages to harvest their access_token, refresh_token, and id_token.
  • Brazilian Variant: A regional variant abused Cacoo.com, owned by Nulab, as an open redirect to the phishing infrastructure.

Device Code Phishing is a technique that abuses the Microsoft Identity Platform's OAuth 2.0 Device Authorization Grant specification. The specification was designed to simplify sign-in for smart TVs, IoT hardware, and printers, but Kaspersky has published a Securelist analysis showing attackers are now weaponizing it to hijack accounts, with a Brazil variant abusing Cacoo.com.

The technique aligns with a broader trend that the FBI formally warned about.

Harvesting Microsoft Tokens via Fake "LawConnect" Portal

In a campaign observed from early April to mid-May 2026, the initial email was styled as a notice from a law firm and carried a password-protected PDF, a July 6 Kaspersky report said. After the victim opened the file and entered the password, a landing page displayed documents behind a link, framed as requiring a one-time access code to view them via a fake service called LawConnect.

PDF file with a malicious link | Source: Kaspersky
PDF file with a malicious link | Source: Kaspersky

That link pointed to a legitimate Microsoft address but used URL parameters to redirect the user to a phishing page mimicking a corporate legal portal guarded by multiple CAPTCHAs to filter out crawlers.

The one-time code | Source: Kaspersky
The one-time code | Source: Kaspersky

It instructed the victim to copy a one-time code, the user_code the attacker's server had already fetched. Clicking the code copied it and redirected the user to Microsoft's genuine authentication page. 

Once the victim entered the code and completed multi-factor authentication (MFA), the attacker harvested the session's access_token, refresh_token, and id_token, enabling access to email, OneDrive, and Teams.

Brazilian Variant Uses Cacoo.com

A modified campaign later targeted users in Brazil. Instead of a PDF, the email embedded a link to Cacoo.com, a legitimate diagramming platform owned by Nulab, which served as an open redirect. 

Kaspersky advises organizations to:

Kaspersky's findings are the latest entry in a pattern the FBI has already formally warned about. This campaign employs a technique that Microsoft first disclosed in February 2025, tied to Storm-2372, a Russia-aligned cluster targeting government and defense organizations. 

An OAuth redirection abuse method was commoditized this year by the EvilTokens phishing-as-a-service (PhaaS) platform, which hit over 340 Microsoft 365 organizations by March. The FBI issued a Public Service Announcement (PSA) in May warning about Kali365, a kit built on the same device code abuse.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: