Link: Microsoft device code authentication with suspicious indicators
Detects messages containing links with Microsoft device code authentication patterns, including verification prompts, copy code instructions, and suspicious API endpoints or antibot tokens commonly used in device code takeover attacks.
Sublime rule (View on GitHub)
1name: "Link: Microsoft device code authentication with suspicious indicators"
2description: "Detects messages containing links with Microsoft device code authentication patterns, including verification prompts, copy code instructions, and suspicious API endpoints or antibot tokens commonly used in device code takeover attacks."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(recipients.to) == 1
8 and 0 < length(body.links) < 15
9 and any(body.links,
10 // strings commonly observed in the microsoft device code phishing lure
11 regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
12 "verification co(?:mplete|de)",
13 '\bcopy code\b',
14 "Secured by Microsoft",
15 "(?:redirecting to|opening) your document",
16 "preparing verification",
17 "(?:verify your identity|complete verification) with Microsoft"
18 )
19 // unique device code antibot token cookie, api path, ms device login path url
20 and (
21 regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
22 'X-Antibot-Token',
23 '\/api\/device\/sta(?:rt|tus)\/',
24 'microsoft\.com\/devicelogin'
25 )
26 // or api path on workers dev associated with this activity
27 or any(ml.link_analysis(., mode="aggressive").unique_urls_accessed,
28 strings.icontains(.path, '/api/device/start')
29 and strings.icontains(.domain.root_domain, 'workers.dev')
30 )
31 )
32 )
33
34attack_types:
35 - "Credential Phishing"
36tactics_and_techniques:
37 - "Impersonation: Brand"
38 - "Social engineering"
39 - "Evasion"
40detection_methods:
41 - "URL analysis"
42 - "URL screenshot"
43 - "Content analysis"
44id: "0301b27d-8208-5a29-bdb1-f4c11e22eafd"