Abusing OAuth Device Code Flow
This threat describes a phishing campaign exploiting Microsoft's OAuth 2. 0 Device Authorization Grant (Device Code Flow) to compromise user accounts. Attackers send phishing emails with links hosted on Mailchimp's Mandrill service that redirect victims to fake Adobe-themed websites. These sites abuse legitimate Microsoft authentication flows to obtain access and refresh tokens, enabling persistent delegated access to resources such as Graph API, Teams, Outlook, and SharePoint. The attack leverages shared client IDs and family of client IDs (FOCI) for lateral movement across tenants. Two variants exist: one using dynamic code generation via external phishing infrastructure, and another using fake meeting invitations with pre-generated device codes. The use of legitimate Microsoft services makes detection difficult. No known exploits in the wild or vendor patches are indicated.
AI Analysis
Technical Summary
In early 2026, a phishing campaign abuses Microsoft's OAuth 2.0 Device Authorization Grant (Device Code Flow) to gain unauthorized access to user accounts. Attackers send phishing emails containing Mailchimp Mandrill service links that lead to fake Adobe-themed sites. These sites exploit legitimate Microsoft authentication mechanisms to acquire access and refresh tokens, granting persistent delegated access to critical Microsoft 365 resources like Graph API, Teams, Outlook, and SharePoint. The technique exploits shared client IDs across tenants and family of client IDs (FOCI) to facilitate lateral movement. Two attack variants are described: one leveraging external phishing infrastructure with dynamic device code generation, and another relying on fake meeting invitations containing pre-generated device codes. The campaign's reliance on legitimate Microsoft services complicates detection and mitigation efforts. There is no indication of a patch or official fix, and no known exploits in the wild have been reported.
Potential Impact
Successful exploitation results in attackers obtaining persistent delegated access tokens, allowing unauthorized access to sensitive Microsoft 365 resources including Graph API, Teams, Outlook, and SharePoint. This can lead to credential theft, token hijacking, and lateral movement within and across tenants. The attack bypasses traditional security controls by abusing legitimate Microsoft authentication flows, increasing the difficulty of detection and response. However, no known active exploits in the wild have been reported at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since this attack relies on phishing and abuse of legitimate OAuth flows, mitigation should focus on user awareness training to recognize phishing attempts, monitoring for unusual OAuth token issuance, and applying conditional access policies that limit device code flow usage or require additional verification. Organizations should also monitor for suspicious domains and URLs related to the campaign indicators. No official fix or patch has been indicated in the provided data.
Indicators of Compromise
- url: http://adobe.safest.org/
- url: http://ppsrq.org/so/3dPniokM8/c
- domain: adobe.safest.org
Abusing OAuth Device Code Flow
Description
This threat describes a phishing campaign exploiting Microsoft's OAuth 2. 0 Device Authorization Grant (Device Code Flow) to compromise user accounts. Attackers send phishing emails with links hosted on Mailchimp's Mandrill service that redirect victims to fake Adobe-themed websites. These sites abuse legitimate Microsoft authentication flows to obtain access and refresh tokens, enabling persistent delegated access to resources such as Graph API, Teams, Outlook, and SharePoint. The attack leverages shared client IDs and family of client IDs (FOCI) for lateral movement across tenants. Two variants exist: one using dynamic code generation via external phishing infrastructure, and another using fake meeting invitations with pre-generated device codes. The use of legitimate Microsoft services makes detection difficult. No known exploits in the wild or vendor patches are indicated.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In early 2026, a phishing campaign abuses Microsoft's OAuth 2.0 Device Authorization Grant (Device Code Flow) to gain unauthorized access to user accounts. Attackers send phishing emails containing Mailchimp Mandrill service links that lead to fake Adobe-themed sites. These sites exploit legitimate Microsoft authentication mechanisms to acquire access and refresh tokens, granting persistent delegated access to critical Microsoft 365 resources like Graph API, Teams, Outlook, and SharePoint. The technique exploits shared client IDs across tenants and family of client IDs (FOCI) to facilitate lateral movement. Two attack variants are described: one leveraging external phishing infrastructure with dynamic device code generation, and another relying on fake meeting invitations containing pre-generated device codes. The campaign's reliance on legitimate Microsoft services complicates detection and mitigation efforts. There is no indication of a patch or official fix, and no known exploits in the wild have been reported.
Potential Impact
Successful exploitation results in attackers obtaining persistent delegated access tokens, allowing unauthorized access to sensitive Microsoft 365 resources including Graph API, Teams, Outlook, and SharePoint. This can lead to credential theft, token hijacking, and lateral movement within and across tenants. The attack bypasses traditional security controls by abusing legitimate Microsoft authentication flows, increasing the difficulty of detection and response. However, no known active exploits in the wild have been reported at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since this attack relies on phishing and abuse of legitimate OAuth flows, mitigation should focus on user awareness training to recognize phishing attempts, monitoring for unusual OAuth token issuance, and applying conditional access policies that limit device code flow usage or require additional verification. Organizations should also monitor for suspicious domains and URLs related to the campaign indicators. No official fix or patch has been indicated in the provided data.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.levelblue.com/blogs/spiderlabs-blog/go-with-the-flow-abusing-oauth-device-code-flow"]
- Adversary
- null
- Pulse Id
- 69e68ccac96ab3f866763f12
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://adobe.safest.org/ | — | |
urlhttp://ppsrq.org/so/3dPniokM8/c | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainadobe.safest.org | — |
Threat ID: 69e743d919fe3cd2cdbf5f99
Added to database: 4/21/2026, 9:31:05 AM
Last enriched: 4/21/2026, 9:46:17 AM
Last updated: 4/21/2026, 1:24:43 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.