campaign-device-code-03-2026 active
Device Code Phishing
Device Code Phishing via Cloudflare Workers ā PhaaS Campaign
A large-scale Phishing-as-a-Service (PhaaS) campaign abusing Microsoft Device Code Authentication, delivered via Cloudflare Workers. Victims receive phishing emails with links to workers.dev domains that serve branded lure pages (Adobe, DocuSign, Outlook) containing real Microsoft device codes. When the victim enters the code at the Microsoft device login portal, the attacker's backend silently exchanges it for an access token and refresh token. Infrastructure spans 326 unique workers.dev hostnames across 1,337 known URLs, with per-victim session tokens baked into every phishing link.
525 domains
Uncovering a New Device Code Pā¦ Device Code Phishing Campaign ā¦
First seen Updated