{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/docusign/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["TA4903"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft 365","microsoft.com","DocuSign","Adobe"],"_cs_severities":["high"],"_cs_tags":["device-code-phishing","phishing","credential-theft","oAuth"],"_cs_type":"threat","_cs_vendors":["Microsoft","Adobe","DocuSign","Cloudflare"],"content_html":"\u003cp\u003eDevice code phishing is a growing threat where attackers abuse the OAuth 2.0 device authorization grant flow to compromise user accounts, particularly Microsoft 365. This technique has surged in popularity following the release of criminal device code phishing tools in fall 2025, coupled with the rise of \u0026ldquo;vibe coding\u0026rdquo; and Phishing-as-a-Service (PhaaS) platforms like EvilTokens and Tycoon. Campaigns typically begin with an email containing a URL or QR code. When a user clicks the link or scans the code, they are directed to a fake landing page impersonating a legitimate service like Microsoft or DocuSign, prompting them to enter a device code. By entering this code into the legitimate Microsoft device code authentication portal, the user inadvertently grants the attacker access to their account, leading to potential data theft, fraud, and business email compromise. TA4903 is one actor using device code phishing almost exclusively to steal credentials.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial phishing email is sent, containing a URL or QR code. The email may contain a lure such as a salary notification or a document requiring a signature. Some campaigns even use blank email bodies.\u003c/li\u003e\n\u003cli\u003eThe user clicks the URL or scans the QR code, redirecting them to a landing page. This redirect may occur via Cloudflare Workers URLs.\u003c/li\u003e\n\u003cli\u003eThe landing page impersonates a legitimate service, such as Microsoft or DocuSign, and prompts the user to enter a device code. Some kits like ARTokens require the user to enter their email address first.\u003c/li\u003e\n\u003cli\u003eThe user is instructed to go to the legitimate Microsoft device login portal (https[:]//microsoft[.]com/devicelogin) and enter the provided code.\u003c/li\u003e\n\u003cli\u003eThe user enters the device code, unwittingly granting the attacker\u0026rsquo;s malicious application access to their account.\u003c/li\u003e\n\u003cli\u003eThe attacker captures authentication tokens.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured tokens to access the user\u0026rsquo;s account, including data and other services the account has access to.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions such as stealing sensitive information, conducting business email compromise, or moving laterally within the compromised environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful device code phishing attacks can result in full account takeover, giving attackers access to sensitive information and enabling business email compromise. Attackers can use compromised accounts to send further phishing emails, widening the scope of the attack. Some PhaaS platforms like EvilTokens even offer tools to automate the management of multiple compromised accounts. The ultimate impact can include financial loss, data breaches, and reputational damage for targeted organizations. The technique is observed in multiple languages targeting organizations globally.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement policies to educate users about device code phishing and the legitimate Microsoft device login process.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Device Code Phishing Landing Page Redirection via Cloudflare Workers\u0026rdquo; to identify potential phishing attempts (see rule below).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to the legitimate Microsoft device login portal (https[:]//microsoft[.]com/devicelogin) following a redirect from unusual or suspicious domains.\u003c/li\u003e\n\u003cli\u003eImplement conditional access policies that restrict the use of device codes from untrusted networks or locations.\u003c/li\u003e\n\u003cli\u003eBlock known PhaaS platforms and associated infrastructure used for device code phishing, such as those associated with EvilTokens.\u003c/li\u003e\n\u003cli\u003eMonitor email traffic for unusual patterns, such as emails with blank bodies containing URLs or QR codes, as observed in some campaigns by TA4903.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T09:02:04Z","date_published":"2026-05-14T09:02:04Z","id":"https://feed.craftedsignal.io/briefs/2026-05-device-code-phishing/","summary":"Threat actors are increasingly using device code phishing, often via Phishing-as-a-Service platforms, to compromise user accounts by abusing the OAuth 2.0 device authorization grant flow and capturing authentication tokens, enabling account takeover, data theft, and business email compromise.","title":"Device Code Phishing Exploiting OAuth 2.0 Device Authorization Grant Flow","url":"https://feed.craftedsignal.io/briefs/2026-05-device-code-phishing/"}],"language":"en","title":"CraftedSignal Threat Feed — DocuSign","version":"https://jsonfeed.org/version/1.1"}