Device code phishing bypasses password stealing

MITRE Techniques

• [T1566.001 ] Spearphishing Attachment – The initial lure is delivered through an email with an image attachment referenced by a second HTML attachment (‘The lure is constructed using an image attachment referenced in a second HTML attachment.’)
• [T1056.001 ] Keylogging / Input Capture – The kit captures the victim-entered verification code as part of the authentication abuse flow (‘copy the code to their clipboard’ and enter it into the Microsoft popup).
• [T1199 ] Trusted Relationship – The attack abuses trust in Microsoft’s legitimate authentication infrastructure to make the process appear safe (‘This is a real and legitimate URL used for normal Microsoft authentication flows.’)
• [T1133 ] External Remote Services – The attacker leverages Microsoft 365 authentication services to gain access to victim accounts (‘authorize an attacker-controlled device’ and ‘access to victim accounts’).
• [T1550.001 ] Use Alternate Authentication Material: Application Access Token – The device code is used to complete OAuth-based authentication without stealing passwords directly (‘abuses Microsoft’s legitimate OAuth 2.0 Device Authorization Grant flow’).
• [T1119 ] Automated Collection – The kit continuously posts the device code in a timed loop to coordinate the flow (‘sent to the phishing kit’s host via POST on a four second loop’).
• [T1027 ] Obfuscated Files or Information – Unicode format characters and bit-shifted/base64-encoded artifacts are used to hide detection strings (‘Zero Width Space (ZWS), Word Joiner (WJ), and Zero Width Non-Joiner (ZWNJ)’ and ‘bitshifted ASCII’).
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – The page hides red-flag words with invisible Unicode characters to interfere with detection (‘interspersed in words that are typically red flags used for phishing detection’).