EXPLORE
Sign In
← Back to Explore
sublimehighRule

Link: Microsoft device code authentication with suspicious indicators

Detects messages containing links with Microsoft device code authentication patterns, including verification prompts, copy code instructions, and suspicious API endpoints or antibot tokens commonly used in device code takeover attacks.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003T1036T1027
initial-accessdefense-evasion

Detection Query

type.inbound
and length(recipients.to) == 1
and 0 < length(body.links) < 15
and any(body.links,
        // strings commonly observed in the microsoft device code phishing lure
        regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                        "verification co(?:mplete|de)",
                        '\bcopy code\b',
                        "Secured by Microsoft",
                        "(?:redirecting to|opening) your document",
                        "preparing verification",
                        "(?:verify your identity|complete verification) with Microsoft"
        )
        // unique device code antibot token cookie, api path, ms device login path url
        and (
          regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
                          'X-Antibot-Token',
                          '\/api\/device\/sta(?:rt|tus)\/',
                          'microsoft\.com\/devicelogin'
          )
          // or api path on workers dev associated with this activity
          or any(ml.link_analysis(., mode="aggressive").unique_urls_accessed,
                 strings.icontains(.path, '/api/device/start')
                 and strings.icontains(.domain.root_domain, 'workers.dev')
          )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Link: Microsoft device code authentication with suspicious indicators"
description: "Detects messages containing links with Microsoft device code authentication patterns, including verification prompts, copy code instructions, and suspicious API endpoints or antibot tokens commonly used in device code takeover attacks."
type: "rule"
severity: "high"
source: |
  type.inbound
  and length(recipients.to) == 1
  and 0 < length(body.links) < 15
  and any(body.links,
          // strings commonly observed in the microsoft device code phishing lure
          regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                          "verification co(?:mplete|de)",
                          '\bcopy code\b',
                          "Secured by Microsoft",
                          "(?:redirecting to|opening) your document",
                          "preparing verification",
                          "(?:verify your identity|complete verification) with Microsoft"
          )
          // unique device code antibot token cookie, api path, ms device login path url
          and (
            regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
                            'X-Antibot-Token',
                            '\/api\/device\/sta(?:rt|tus)\/',
                            'microsoft\.com\/devicelogin'
            )
            // or api path on workers dev associated with this activity
            or any(ml.link_analysis(., mode="aggressive").unique_urls_accessed,
                   strings.icontains(.path, '/api/device/start')
                   and strings.icontains(.domain.root_domain, 'workers.dev')
            )
          )
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
  - "Evasion"
detection_methods:
  - "URL analysis"
  - "URL screenshot"
  - "Content analysis"
id: "0301b27d-8208-5a29-bdb1-f4c11e22eafd"