{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/device-code/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["oauth","device-code","phishing","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eIn early April 2026, Arctic Wolf observed a widespread phishing campaign that abused the OAuth device code flow. This campaign targeted organizations across multiple regions and sectors, mirroring the \u0026ldquo;Riding the Rails\u0026rdquo; campaign observed by Huntress in late March. The attackers exploited the device code grant type in the OAuth 2.0 authorization framework to obtain access tokens. By tricking users into entering a code on a legitimate Microsoft login page, attackers bypassed traditional MFA controls. Defenders should be aware of this evolving technique and implement detection strategies focused on anomalous application registrations and device code flow activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a phishing email to the victim, impersonating a legitimate service.\u003c/li\u003e\n\u003cli\u003eThe email contains a link that redirects the victim to a fake application authorization page.\u003c/li\u003e\n\u003cli\u003eThe fake page prompts the victim to enter a device code.\u003c/li\u003e\n\u003cli\u003eUnbeknownst to the victim, the device code is associated with a malicious OAuth application controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe victim is redirected to a legitimate Microsoft login page, where they enter the provided code and authenticate.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the malicious application receives an access token.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the access token to access the victim\u0026rsquo;s account and sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker may then perform actions such as reading emails, accessing files, or initiating further malicious activity within the compromised account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis OAuth device code phishing campaign affected numerous organizations across multiple sectors and regions in early April 2026. Successful attacks grant threat actors unauthorized access to user accounts, potentially leading to data exfiltration, financial fraud, and further compromise of internal systems. Due to the nature of OAuth, attackers can maintain persistent access even after password changes, posing a significant long-term risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Azure AD sign-in logs for device code flow usage to identify suspicious authentications (logsource: azuread, category: authentication).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided below to detect suspicious application registrations in Azure AD (logsource: o365, category: configuration).\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of device code phishing and how to identify malicious authorization requests.\u003c/li\u003e\n\u003cli\u003eRegularly audit OAuth applications authorized within your environment and revoke access for any suspicious or unused applications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts related to anomalous OAuth application activity promptly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T19:52:35Z","date_published":"2026-04-24T19:52:35Z","id":"/briefs/2026-05-oauth-device-code-phishing/","summary":"In early April 2026, Arctic Wolf tracked a large-scale device code phishing campaign across multiple regions and sectors where threat actors abused OAuth device code flow to trick victims into providing authentication codes.","title":"Large-Scale OAuth Device Code Phishing Campaign Observed in April 2026","url":"https://feed.craftedsignal.io/briefs/2026-05-oauth-device-code-phishing/"}],"language":"en","title":"CraftedSignal Threat Feed — Device-Code","version":"https://jsonfeed.org/version/1.1"}