Uncovering a New Device Code Phishing Campaign

A phishing campaign exploited Microsoft's OAuth 2.0 device code flow by tricking victims into visiting Cloudflare Workers-hosted pages that imitate Adobe Acrobat Sign, using BEC-compromised sender domains. It automatically copied an attacker-generated device code to the clipboard and redirected victims to the legitimate microsoft.com/devicelogin portal to collect tokens. The attacker's backend polls Microsoft's device code endpoint every 3 seconds, exchanges the completed code for OAuth access and refresh tokens scoped to Microsoft Graph, and then silently redirects victims to adobe.com—leaving no signs of compromise. Indicators of compromise (IOCs) from 23 workers.dev subdomains, along with suspected sender addresses embedded in account names, are published. Defenders should look for device code authentication events in Entra SigninLogs by filtering for `AuthenticationProtocol == "deviceCode"`. They should also flag first-time device code authentications with no prior 30-day history (`ResultType == 0`) and alert on workers.dev URLs in inbound email that are linked to the same-user authentication events.