Overview

A growing attack pattern abuses Microsoft’s device authentication flow to bypass traditional credential theft detection. Instead of stealing passwords directly, the adversary tricks the user into authorizing the attacker’s device, resulting in full account takeover with a trusted session. Figure 1 shows the overview of the phish attack.

Figure 1: Device Authentication Phishing Overview

Phishing Delivery

The attacker sends a phishing email impersonating a trusted service (e.g., Microsoft security alert, document access request, or compliance notice).
The goal is to drive the victim to a malicious website.

In the recent incident, we observed the cybercriminal send an email to the target with a theme "Salary Increase Notification Acknowledgment Required As of Today." Figure 2 shows the phish email.

Figure 2: Device Authentication Phishing Email

The email contains a “Salary Increase Signature Required” document that includes a QR code linking to the phishing page. Figure 3 shows the document containing the QR code.

The QR code directs users to the following URL, which serves as a redirector to the final phishing site.

hxxps://hti-245401512.hs-sites-na2[.]com/[campaign id]

The final phishing URL is as follows:

hxxps://salaryadjustment-2afb52[.]pmb6fefc52b3f9aa5c2dbf.workers[.]dev/?utm_source=email&utm_medium=campaign