In short: In July 2026 Kaspersky warned about a phishing campaign that abuses a legitimate Microsoft mechanism — Device Authorization Grant (Device Code Flow). The victim ends up on a genuine login.microsoftonline.com page and simply enters a short code, yet the attacker walks away with the account's access and refresh tokens — no password, and even two-factor authentication does not help. The core defence: never enter a device code that someone else sent you.
What happened
On 7 July 2026 Kaspersky's experts, in a Securelist write-up, described a phishing campaign that exploits Microsoft's Device Authorization Grant flow to hijack corporate accounts. The report was picked up by Russian outlets including CNews and the security press. What makes the case stand out is that the usual advice — "check the address bar" — fails here: the victim really is on Microsoft's own domain. If you want the wider background on how phishing works, see our guide on how to protect an account from hacking.
What is Device Code Flow and why is it abused?
Device Authorization Grant is a legitimate sign-in method built for gadgets with awkward input — smart TVs, IoT devices, printers, consoles. The device shows a short code, and you approve it on a phone or laptop at Microsoft's devicelogin page. The catch: the code is not tied to the person who requested it. If an attacker starts the flow and gets you to enter their code, Microsoft binds your account to the attacker's session.
How does the attack work step by step?
The campaign began with an email styled as a notice from a law firm, carrying a password-protected PDF. The link led to a legitimate Microsoft address but used a redirect that pushed the victim onto a phishing portal imitating a legal-document viewer. After a few CAPTCHAs, the user was asked to copy a one-time code — generated in advance by the attackers when they launched the authorization flow — and enter it on the real Microsoft page. Once the victim confirmed, the attacker's server, which had been polling Microsoft's token endpoint, received the access_token, refresh_token and id_token.
What can attackers do with the tokens?
With those tokens the intruder can read and send mail from the victim's mailbox, reach OneDrive files and Teams messages — all without ever knowing the password. Because a valid session token is issued, standard two-factor authentication is bypassed, and the refresh token grants persistent access until it is revoked. That is why a single hijacked account can become an entry point into a whole company's correspondence. Locking down mail specifically is covered in our guide on protecting your email from compromise.
How can you protect yourself?
Never enter a device code you did not request. A code that arrives in an email, chat or over the phone is a red flag. Legitimate device sign-in starts on the device itself — a TV or a console — not from a link in a message.
Don't trust a real domain alone. This attack proves that a genuine microsoft.com page is not proof of safety. Before approving any sign-in, ask yourself which device actually asked for it.
Turn on and keep two-factor authentication. It will not stop this exact trick, but it blocks the far more common password-based attacks. Combine it with alertness rather than relying on it alone.
For organisations: restrict Device Code Flow. If your company does not need it, disable Device Authorization Grant through Conditional Access policies — this closes the door on the whole class of attack.
Where does a VPN fit in?
Be honest about the limits: a VPN will not stop you from entering an attacker's code on a real Microsoft page — only the "never enter unsolicited codes" rule defends against that. What a VPN does cover is the network layer: it encrypts your traffic on untrusted Wi-Fi so login sessions and tokens cannot be intercepted in transit, and it hides your real IP, shrinking the data used to target you with a convincing lure. See how LiMP VPN handles this and pick a plan on our pricing page. Treat it as one layer, not a replacement for vigilance.
Sources
This report is based on the Kaspersky / Securelist research and its coverage by CNews and Xakep (July 2026).
