High Severity

Link: Microsoft device code authentication with suspicious indicators

Labels

Credential Phishing

Impersonation: Brand

Description

Detects messages containing links with Microsoft device code authentication patterns, including verification prompts, copy code instructions, and suspicious API endpoints or antibot tokens commonly used in device code takeover attacks.

References

No references.

Sublime Security

Created Mar 12th, 2026 • Last updated Mar 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(recipients.to) == 1
and 0 < length(body.links) < 15
and any(body.links,
        // strings commonly observed in the microsoft device code phishing lure
        regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                        "verification co(?:mplete|de)",
                        '\bcopy code\b',
                        "Secured by Microsoft",
                        "(?:redirecting to|opening) your document",
                        "preparing verification",
                        "(?:verify your identity|complete verification) with Microsoft"
        )
        // unique device code antibot token cookie, api path, ms device login path url
        and (
          regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
                          'X-Antibot-Token',
                          '\/api\/device\/sta(?:rt|tus)\/',
                          'microsoft\.com\/devicelogin'
          )
          // or api path on workers dev associated with this activity
          or any(ml.link_analysis(., mode="aggressive").unique_urls_accessed,
                 strings.icontains(.path, '/api/device/start')
                 and strings.icontains(.domain.root_domain, 'workers.dev')
          )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.