Abusing OAuth Device Code Flow
In early 2026, phishing attacks remain a top threat vector in security operations. This analysis covers a novel attack method exploiting Microsoft's OAuth 2.0 Device Authorization Grant (Device Code Flow) to compromise user accounts. Attackers use phishing emails containing Mailchimp's Mandrill service links to bypass security controls, leading victims to fake Adobe-themed websites. The sites abuse legitimate Microsoft authentication mechanisms to obtain access and refresh tokens, granting persistent delegated access to critical resources like Graph API, Teams, Outlook, and SharePoint. The technique leverages shared client IDs across tenants and family of client IDs (FOCI) for lateral movement. Two variants exist: one using external phishing infrastructure with dynamic code generation, and another relying solely on fake meeting invitations containing pre-generated device codes. The attack is particularly effective as it uses legitimate Microsoft services, making detection challenging.
AI Analysis
Technical Summary
In early 2026, a phishing campaign abuses Microsoft's OAuth 2.0 Device Authorization Grant (Device Code Flow) to gain unauthorized access to user accounts. Attackers send phishing emails containing Mailchimp Mandrill service links that lead to fake Adobe-themed sites. These sites exploit legitimate Microsoft authentication mechanisms to acquire access and refresh tokens, granting persistent delegated access to critical Microsoft 365 resources like Graph API, Teams, Outlook, and SharePoint. The technique exploits shared client IDs across tenants and family of client IDs (FOCI) to facilitate lateral movement. Two attack variants are described: one leveraging external phishing infrastructure with dynamic device code generation, and another relying on fake meeting invitations containing pre-generated device codes. The campaign's reliance on legitimate Microsoft services complicates detection and mitigation efforts. There is no indication of a patch or official fix, and no known exploits in the wild have been reported.
Potential Impact
Successful exploitation results in attackers obtaining persistent delegated access tokens, allowing unauthorized access to sensitive Microsoft 365 resources including Graph API, Teams, Outlook, and SharePoint. This can lead to credential theft, token hijacking, and lateral movement within and across tenants. The attack bypasses traditional security controls by abusing legitimate Microsoft authentication flows, increasing the difficulty of detection and response. However, no known active exploits in the wild have been reported at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since this attack relies on phishing and abuse of legitimate OAuth flows, mitigation should focus on user awareness training to recognize phishing attempts, monitoring for unusual OAuth token issuance, and applying conditional access policies that limit device code flow usage or require additional verification. Organizations should also monitor for suspicious domains and URLs related to the campaign indicators. No official fix or patch has been indicated in the provided data.
Indicators of Compromise
- url: http://adobe.safest.org/
- url: http://ppsrq.org/so/3dPniokM8/c
- domain: adobe.safest.org
Abusing OAuth Device Code Flow
Description
In early 2026, phishing attacks remain a top threat vector in security operations. This analysis covers a novel attack method exploiting Microsoft's OAuth 2.0 Device Authorization Grant (Device Code Flow) to compromise user accounts. Attackers use phishing emails containing Mailchimp's Mandrill service links to bypass security controls, leading victims to fake Adobe-themed websites. The sites abuse legitimate Microsoft authentication mechanisms to obtain access and refresh tokens, granting persistent delegated access to critical resources like Graph API, Teams, Outlook, and SharePoint. The technique leverages shared client IDs across tenants and family of client IDs (FOCI) for lateral movement. Two variants exist: one using external phishing infrastructure with dynamic code generation, and another relying solely on fake meeting invitations containing pre-generated device codes. The attack is particularly effective as it uses legitimate Microsoft services, making detection challenging.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In early 2026, a phishing campaign abuses Microsoft's OAuth 2.0 Device Authorization Grant (Device Code Flow) to gain unauthorized access to user accounts. Attackers send phishing emails containing Mailchimp Mandrill service links that lead to fake Adobe-themed sites. These sites exploit legitimate Microsoft authentication mechanisms to acquire access and refresh tokens, granting persistent delegated access to critical Microsoft 365 resources like Graph API, Teams, Outlook, and SharePoint. The technique exploits shared client IDs across tenants and family of client IDs (FOCI) to facilitate lateral movement. Two attack variants are described: one leveraging external phishing infrastructure with dynamic device code generation, and another relying on fake meeting invitations containing pre-generated device codes. The campaign's reliance on legitimate Microsoft services complicates detection and mitigation efforts. There is no indication of a patch or official fix, and no known exploits in the wild have been reported.
Potential Impact
Successful exploitation results in attackers obtaining persistent delegated access tokens, allowing unauthorized access to sensitive Microsoft 365 resources including Graph API, Teams, Outlook, and SharePoint. This can lead to credential theft, token hijacking, and lateral movement within and across tenants. The attack bypasses traditional security controls by abusing legitimate Microsoft authentication flows, increasing the difficulty of detection and response. However, no known active exploits in the wild have been reported at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since this attack relies on phishing and abuse of legitimate OAuth flows, mitigation should focus on user awareness training to recognize phishing attempts, monitoring for unusual OAuth token issuance, and applying conditional access policies that limit device code flow usage or require additional verification. Organizations should also monitor for suspicious domains and URLs related to the campaign indicators. No official fix or patch has been indicated in the provided data.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.levelblue.com/blogs/spiderlabs-blog/go-with-the-flow-abusing-oauth-device-code-flow"]
- Adversary
- null
- Pulse Id
- 69e68ccac96ab3f866763f12
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://adobe.safest.org/ | — | |
urlhttp://ppsrq.org/so/3dPniokM8/c | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainadobe.safest.org | — |
Threat ID: 69e743d919fe3cd2cdbf5f99
Added to database: 4/21/2026, 9:31:05 AM
Last enriched: 4/21/2026, 9:46:17 AM
Last updated: 6/5/2026, 12:20:51 PM
Views: 240
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.