hunt-2025-041 FP Rate: low v1.0 by Paul Newton

Workers.dev Phishing URL in Email — Device Code Campaign Detection

Platform

Microsoft Defender XDR Microsoft 365

Data Sources

EmailUrlInfo EmailEvents

MITRE ATT&CK

Tactics

Initial Access

Techniques

T1566.002

Threat Actors

Unknown

Tags

#phishing #device-code #cloudflare #workers-dev #email #mde

Hunt Hypothesis

Threat actors abusing device code authentication for phishing are hosting their lure pages on Cloudflare Workers domains (*.workers.dev). These domains are rarely seen in legitimate enterprise email and their presence in email URLs could be an indicator of a device code phishing campaign.

Workers.dev URL in Email

Analytic #1

Looks for EmailUrlInfo events containing a workers.dev domain and joins back to EmailEvents to surface the full context — sender, subject, recipient, and URL. workers.dev domains are not common in enterprise email and their presence warrants immediate investigation, particularly when combined with device code authentication events from the same user around the same time.

Detection Queries

KQL 
EmailUrlInfo
| where Url matches regex @"https?://[a-z0-9][a-z0-9\-]*\.workers\.dev"
| join kind=inner EmailEvents on NetworkMessageId
| summarize count() by
    Timestamp,
    SenderFromAddress,
    Subject,
    RecipientEmailAddress,
    Url
| order by Timestamp desc

Triage Steps

  1. Verify whether the recipient clicked the link and check for subsequent device code authentication events in SigninLogs for that user
  2. Inspect the workers.dev URL — look for sub-paths such as /b8184e32fd933ee3 style hashes which indicate per-victim lure pages
  3. Review the sender address and domain for signs of compromise or spoofing
  4. Check whether other recipients in the organisation received the same or similar email
  5. If the user clicked and authenticated, treat as a confirmed token theft — revoke sessions and rotate credentials immediately
  6. Block the workers.dev subdomain at email gateway and proxy

True Positive Example

Log Entry:
{
  "log_entry": {
    "Timestamp": "2026-01-15T09:22:11Z",
    "SenderFromAddress": "invoice@compromised-vendor.com",
    "Subject": "Project Proposal - Review Required",
    "RecipientEmailAddress": "target.user@contoso.com",
    "Url": "https://index-aj9.michelleteh-surgipro-com-sg-s-account.workers.dev/?email=projectproposal",
    "count_": 1
  }
}
Analysis:

Phishing URL clicked by target user. The workers.dev subdomain follows the naming pattern observed across this campaign — accountname-domain-s-account.workers.dev. Correlate with SigninLogs for device code authentications from this user within 15 minutes of this timestamp.

Back to all hunts