When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website


One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant.

This specific protocol extension was designed to simplify the login experience for smart TVs, IoT hardware, printers, and other input-constrained devices that lack a full browser or keyboard. It allows users to use a nearby smartphone or PC for authorizing these devices to access their accounts.

Read more…
Source:  Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Filch Stealer: A new infostealer leveraging old techniques

    June 16, 2025

    In recent weeks, Rapid7 has observed an increased volume of incidents involving domains generated by domain generation algorithms (DGAs). DGAs are a known technique leveraged by malware authors to quickly create a large number of domain names, which will point to command and control (C2) servers operated by the attackers. Observed domains shared multiple commonalities such ...

  • Europe-wide takedown hits longest-standing dark web drug market

    June 16, 2025

    Law enforcement authorities across Europe have dismantled ‘Archetyp Market’, the most enduring dark web marketplace, following a large-scale operation involving six countries, supported by Europol and Eurojust. Between 11 and 13 June, a series of coordinated actions took place across Germany, the Netherlands, Romania, Spain, Sweden, targeting the platform’s administrator, moderators, key vendors, and technical infrastructure. ...

  • WestJet investigating possible cyberattack

    June 16, 2025

    WestJet has apparently suffered a cyberattack which has disrupted some of its services, including impacting the airline’s website and mobile app. The company confirmed the news in a security advisory posted on its website, noting, “WestJet is aware of a cybersecurity incident involving internal systems and the WestJet app, which has restricted access for several users.” ...

  • Hackers take aim at Washington Post journalists in an apparent ‘targeted’ cyberattack

    June 15, 2025

    Hackers have tried to break into the email accounts of a select number of Washington Post journalists, according to an internal Washington Post memo obtained by CNN. The Post discovered the “possible targeted” hack of its email system last Thursday, prompting the newspaper to reset login credentials for all its employees on Friday, Washington Post Executive ...

  • Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper

    June 13, 2025

    A new ransomware-as-a-service (RaaS) group has emerged and has been making a name for itself in 2025. Anubis is a recently identified group that sets itself apart by partnering encryption with more destructive capabilities—wiping directories which severely impact chances of file recovery. Given its brief history and use of a multi-layered extortion model, Anubis has all ...

  • Mitel Releases Security Advisory for MiCollab

    June 13, 2025

    Mitel has released a security advisory to address a critical severity vulnerability in Mitel MiCollab. MiCollab is a cloud-based platform that integrates chat, voice, video, and SMS messaging for teams. The vulnerability, which has no CVE identifier at time of publish, is a “path traversal” vulnerability with a CVSSv3 score of 9.8. Successful exploitation could allow ...