PH-OAUTH-DEVCODEInitial Access

OAuth Device-Code Phishing

Trick a user into completing a device-code flow on attacker's behalf — gain an access + refresh token without ever seeing the password.

§ Where this technique fits

PH-OAUTH-DEVCODE is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 1 on average.

§ Dossiers chaining this technique

OAuth device-code phishing → M365 access without a fake page
Initiate a device-code flow against login.microsoftonline.com; send the code + url to the victim via email or chat. Once they enter it, attacker gets access + refresh tokens.
step 1 / 6

§ What commonly comes next

01
Phishing
T1566 · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

OAuth device-code phishing → M365 access without a fake page

§ What commonly comes next