microsoft

Analysis of a device code phishing operation built on the open-source GraphSpy tool, extended with a custom phish page generator and Cloudflare tunnel infrastructure, found via an exposed open directory and unauthenticated operator panel.

A deep dive into Device Code Lab, a professional grade, device code phishing platform, with numerous defense evasion and post-exploitation features.

A follow-up investigation mapping 1,337 phishing URLs across 326 workers.dev hostnames, confirming a PhaaS multi-tenant architecture, encrypted client-side payloads, and new lure variants targeting Adobe, DocuSign, and Outlook branding.

Uncovering a phishing campaign abusing Microsoft Device Code Authentication and Cloudflare Worker Pages, with detection hunts for Entra and Microsoft 365.

A look at a new phishing campaign, ConsentFix which utilises click-fix style techniques to steal auth tokens.

A walkthrough of different Token Theft Scenarios with Detections

Detecting abuse of VSCode Remote Tunnels for C2 and persistence by threat actors

How threat actors abuse Microsoft Dev Tunnels for C2 communication and detection strategies