Jessica Entwistle
July 7 2026
Kaspersky researchers have identified a phishing campaign that abuses the OAuth 2.0 Device Authorization Grant, a legitimate authentication mechanism designed for devices such as Smart TVs and IoT hardware, to compromise Microsoft accounts. Securelist reports that attackers direct victims to genuine Microsoft websites and prompt them to enter a device code, which grants the attacker access to the victim's account without requiring traditional phishing infrastructure or credential capture. The attack is effective because the URL appears legitimate, the authentication flow is hosted by Microsoft, and users may not recognise the device code prompt as suspicious. Once the code is entered, the attacker gains persistent access to the account, often bypassing multi-factor authentication protections.
This technique highlights a broader challenge for UK organisations, authentication flows that are designed for convenience and device compatibility can be repurposed by attackers in ways that are difficult for users to detect. The attack relies on social engineering rather than technical exploitation, meaning traditional security controls such as email filtering or endpoint protection may not prevent it. For organisations using Microsoft 365, Azure AD, or other cloud identity platforms, this is a reminder that user awareness and conditional access policies are critical layers of defence. The attack also demonstrates that checking the URL alone is no longer sufficient to verify legitimacy, users need to understand the context of what they are being asked to do. Device code phishing is particularly effective because it exploits user trust in familiar authentication flows and legitimate Microsoft domains. Organisations that rely heavily on cloud services and remote access should consider this attack method as part of their broader phishing and account compromise risk profile.
UK businesses should review user awareness training to include device code phishing scenarios, ensuring that employees understand what device code authentication is, when it is legitimate, and how to recognise suspicious requests. Organisations should also consider whether conditional access policies can restrict device code authentication flows to trusted locations, managed devices, or specific user groups, reducing the risk of unauthorised access via this method. Security teams should review authentication logs for unexpected device registrations, unusual sign-in patterns, or device code authentication events that may indicate account compromise. It is also worth confirming that multi-factor authentication is enforced across all user accounts, and that conditional access policies are configured to block or challenge sign-ins from unusual locations or unmanaged devices. Organisations should ensure that security awareness programmes are updated regularly to reflect emerging phishing techniques, and that users are encouraged to report suspicious authentication requests rather than completing them out of uncertainty or politeness.
Source: Securelist (Kaspersky)