A defender-focused writeup of a real-world Microsoft 365 device-code phishing campaign (OAuth 2.0 Device Authorization Grant abuse) — a fake "shared document" that never asks for a password and still takes over an account, straight past MFA.
This repository is published solely for education, awareness, and defensive security — to help defenders and users recognize and stop this class of attack.
- Provided "as is," without warranty of any kind. You are solely responsible for how you use this material.
- All indicators here are defanged (
hxxps://,[.]), and no live malware or credential-harvesting code is included. Do not re-fang, reconstruct, or visit the infrastructure except from an isolated, attributable analysis environment. - Do not use this material to conduct or facilitate unauthorized access, intrusion, or any unlawful activity. Only act on systems you are authorized to test, and comply with all applicable laws.
- Victim-identifying details have been redacted. The compromised website referenced was an innocent, hacked third party, not the attacker.
- This is not legal or professional security advice. Views are the author's own and do not represent any employer or organization.
- DeviceCode-Phishing-Awareness-Article.md — the narrative walkthrough: how device-code phishing works, stage by stage, why it defeats MFA, and how to defend. Written for a broad audience.
- ANALYSIS.md — the technical companion: full attack chain, proof-of-life capture, infrastructure assessment, MITRE ATT&CK mapping, Entra ID hunting, and response checklist.
- attack-path.svg — attack-path diagram.
- screenshots/ — annotated captures of the live gate, the decrypted lure, the anti-analysis defenses, and the genuine Microsoft device-login page.
Opening a shared document never requires you to copy a code and type it into a Microsoft sign-in screen. If any page or email hands you a code to "verify your identity" or "continue to Microsoft," stop, close it, and report it. For IT: a Conditional Access Authentication Flows policy that blocks the device-code flow where it isn't needed neutralizes this entire technique class.
Licensed under Creative Commons Attribution 4.0 International (CC BY 4.0). You're free to share and adapt with attribution.