ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, has recently observed a surge in phishing activity abusing Microsoft’s OAuth Device Code flow, with more than 180 phishing URLs detected in just one week.
By tricking victims into completing a legitimate Microsoft authentication step, attackers can obtain OAuth tokens and access corporate M365 environments without stealing credentials; a technique that complicates detection and raises security risks for organizations.
Why This Attack Is a Serious Enterprise Risk
Several factors make this attack harder for SOC teams to detect:
- Victims authenticate on legitimate Microsoft domains
- Credentials and MFA are entered on real login pages
- The activity runs entirely over encrypted HTTPS traffic
- Access is granted through tokens rather than stolen passwords
For organizations, this means attackers can quickly access corporate email, internal documents, and collaboration platforms inside Microsoft 365. In some cases, refresh tokens can allow attackers to maintain access, turning a single phishing interaction into data exposure, business email compromise, or broader account takeover.
How the OAuth Device Code Phishing Attack Works
Below is a real-world example of this phishing attack revealed during analysis inside the ANY.RUN sandbox:
See the attack exposed inside sandbox
In this case, the phishing workflow impersonates a document-sharing service and guides the victim through a sequence that appears legitimate. Instead of asking for credentials, the page instructs the user to copy a verification code and complete the authentication on a real Microsoft login page.
Once the code is entered, Microsoft issues OAuth tokens that provide access to the attacker.
Expose hidden phishing workflows, confirm threats faster, and give your SOC the visibility needed to stop attacks before they spread across corporate environments. Gain Full Attack Visibility
A typical attack sequence looks like this:
- The victim lands on a fake document-sharing page impersonating DocuSign and is prompted to “Review Document.”
- The page displays a verification code and asks the user to copy it.
- The victim clicks “Continue to Microsoft.”
- A Microsoft authentication window opens on login.microsoftonline.com, asking the user to enter the verification code.
- The victim pastes the same code into the Microsoft device login page.
- Microsoft then issues OAuth tokens, granting access to the attacker’s client application.
How Organizations Can Detect Token-Based Phishing Earlier
Because this attack relies on legitimate Microsoft authentication pages and encrypted HTTPS traffic, it can be difficult for traditional security tools to detect early.
ANY.RUN’s SSL decryption helps organizations uncover the hidden phishing flow sooner.
By extracting TLS encryption keys directly from process memory and decrypting HTTPS traffic during execution, it revealed malicious scripts and high-signal indicators such as /api/device/start, /api/device/status/, and the X-Antibot-Token header.
This gives security teams earlier visibility into token-based attacks and reduces the time attackers can operate inside corporate M365 environments.
.webp.jpeg)
For security teams, this leads to:
- Earlier identification of phishing infrastructure and malicious activity
- Faster investigation and validation of suspicious authentication flows
- Stronger indicators that can be used to detect related campaign activity
- Shorter response time to contain compromised accounts and limit business impact
Bringing Detection Insights into Enterprise Security Workflows
Early detection is most effective when the findings can be quickly operationalized across the security stack.
ANY.RUN integrates with SIEM, SOAR, and threat intelligence platforms, allowing organizations to automatically push newly discovered IOCs and investigation results into their existing tools.
Powered by fresh threat intelligence from 600,000 security professionals across more than 15,000 organizations worldwide, this helps teams detect related activity faster and respond to campaigns like OAuth Device Code phishing before they spread across corporate M365 accounts.
.webp.jpeg)
Strengthen SOC Operations with Interactive Sandbox Analysis
Organizations that integrate ANY.RUN’s interactive sandbox into their security operations report measurable improvements in investigation speed and SOC efficiency.
Teams using the platform have achieved:
- Up to 20% decrease in Tier 1 workload through faster verification of suspicious files and links
- 30% reduction in Tier 1 to Tier 2 escalations, helping senior specialists focus on complex threats
- 21-minute reduction in MTTR per case, enabling faster containment of active incidents
- 94% of users reporting faster triage during daily investigation workflows
- Lower infrastructure costs by replacing hardware sandboxes with a scalable cloud environment
- Reduced breach risk thanks to earlier threat detection and better-informed response decisions
By giving security teams clear behavioral evidence of threats, interactive sandbox analysis helps organizations move from uncertain alerts to confident response decisions faster, reducing operational pressure across the SOC.
Strengthen your SOC operations with ANY.RUN to reduce escalation pressure, speed up triage, and improve detection of modern phishing threats.
