RL Blog

Topics

All Blog PostsAppSec & Supply Chain SecurityDev & DevSecOpsProducts & TechnologySecurity OperationsThreat Research
Mario Vuksan

Software Supply Chain Security Just Got Its Own Magic Quadrant — and RL Is In It 

SSCS is a footnote that grew up, moved out, and got its own report. 

Read More about Software Supply Chain Security Just Got Its Own Magic Quadrant — and RL Is In It 
Software Supply Chain Security Just Got Its Own Magic Quadrant — and RL Is In It 

Follow us

XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBluesky

Subscribe

Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.

The inaugural Gartner® Magic Quadrant™ for Software Supply Chain Security is outGET THE REPORT
Skip to main content
Contact UsSupportBlogCommunity
reversinglabsReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsBlack Hat 2026
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu
Products & TechnologyJuly 8, 2026

Spectra Analyze in Action: Hunting Device Code Phishing Pages

RL recently discovered active Microsoft 365 device code phishing. Here's a walkthrough of how our researchers found the campaign.

ReversingLabs Inc. Logo
RL Research TeamRL Research Team
FacebookFacebookXX / TwitterLinkedInLinkedInblueskyBlueskyEmail Us
Spectra Analyze in Action: Hunting Device Code Phishing Pages

Last week, RL discovered an active Microsoft 365 device code phishing campaign that abuses Microsoft's legitimate OAuth 2.0 Device Authorization Grant flow to obtain access to victim accounts.

Rather than stealing passwords through a counterfeit login page, the phishing kit persuades victims to complete a legitimate Microsoft authentication process that authorizes an attacker-controlled device.

You can find a deep dive on how it works, including the phishing lure and attack workflow, code for the landing page, IOCs, and detection opportunities at RL Blog.

YARA

The full-length blog, above, includes a YARA rule that can be used to detect phishing landing pages.

rule DeviceCode_Phishing_LandingPageHTML
{
    meta:
        author = "Malware Utkonos"
        date = "2026-05-20"
        description = "Detects Device Code phishing kit landing page HTML."
    strings:
        $login_akam = "aka.ms/devicelogin"
        $login_msft = "microsoft.com/devicelogin"
        $login_mso1 = "login.microsoftonline.com/common/oauth2/deviceauth"
        $login_mso2 = "login.microsoftonline.com/common/oauth2/v2.0/deviceauth"
        $login_live = "login.live.com/oauth20_remoteconnect.srf"
        $login_link = "microsoft.com/link"

        $unicode_zws = { E2808B }
        $unicode_zwnj = { E2808C }
        $unicode_wj = { E281A0 }

        $dc = "\"dc="

        $evosts = "\x15\x15\xd9\xbd\x4d\xd1\xcd\x05\xc9\xd1\xa5\x99\x85\x8d\xd1\xcc" base64("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_")

    condition:
        any of ($login*) and
        any of ($unicode*) and
        $dc and $evosts and
        filesize < 1MB
}

You can enable this rule in Spectra Analyze and run a retrohunt to identify any historic landing pages in either our own locally submitted files or the ReversingLabs file corpus. In Spectra Analyze, select the YARA option in the upper right corner. Then, select “Add Ruleset” and “Create Ruleset” from the drop down menu. Copy and paste the YARA rule above, and then save it, as shown below. You select the “Enable Ruleset” option on the upper left, as well as the “Run Ruleset Continuously in Spectra Intelligence” option if you want to match against any future submitted samples.

Spectra Analyze’s YARA rule editing mode

Figure 1. Spectra Analyze’s YARA rule editing mode

After saving our rule, select the button on the right and “Run Cloud Retro Hunt” from the dropdown menu. This kicks off our hunt. A status bar will appear that tracks the progress of our hunt.

Enabling a cloud retro hunt in Spectra Analyze

Figure 2: Enabling a cloud retro hunt in Spectra Analyze.

After the hunt finishes, you can review our results. In this case, the results of the YARA rule are device code phishing page response content of this campaign. These landing pages are available for threat hunting and analysis in Spectra Analyze due to a key feature of Spectra Intelligence’s URL analysis. Spectra Intelligence’s URL analysis, a cloud service, captures the HTML response page when crawling a URL and saves it as a “first citizen” file. This makes it very straightforward to hunt through these HTML response files during a threat hunt.

YARA rule results in Spectra Analyze

Figure 3. YARA rule results in Spectra Analyze.

Above, you can see that our YARA hunt matches 765 samples, with the newest samples seen only a few hours ago. This makes it clear that this is still ongoing malicious activity. If youYo select and view the first sample, we can fetch and analyze the sample locally by clicking the button in the upper right corner. After analysis completes, refresh the page. Now, we are able to select the “preview/visualizations” option under “File Analysis” in the top left corner.

Hex preview of matching sample 87158731a98f30ff8a6280e5e14f094a402a861d

Figure 4. Hex preview of matching sample 87158731a98f30ff8a6280e5e14f094a402a861d.

A neat feature in Spectra Analyze allows us to highlight the matches of our YARA rule corresponding to specific strings. You can actually use the arrows to flip through and highlight all of the matches in our rule. 

Network Locations

If you select the “Network Locations” option under “Sources” in the left hand toolbar, you can see the malicious URL this HTML landing page was collected from, corresponding to the shortened URL highlighted in Figure 4. As discussed, Spectra Intelligence saves landing pages as primary files, directly corresponding to the source URL, which makes it a powerful tool for threat hunting scenarios.

Keep learning

  • Learn how Gartner® named RL a supply chain security 'visionary.' Download: Gartner® Magic Quadrant™ for Software Supply Chain Security.
  • Get key insights into why Gartner® identified binary analysis a must-have control in its recent CISO Playbook for Commercial Software Supply Chain Security.
  • Get up to speed on the Agentic Development Security tools landscape in this webinar with Forrester Sr. Analyst Janet Worthington.
  • Take a deep dive on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar discussing the findings.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Plus: Join the free Spectra Assure Community today to get hands-on with RL's binary analysis-based software supply chain security platform.

Tags:Products & TechnologySpectra Analyze In Action

More Blog Posts

MQ for SSCS blog

This Report from Gartner Defines the Software Supply Chain Security Market

Explore the new Gartner® Magic Quadrant™ for software supply chain security and learn why ReversingLabs is recognized. 

Learn More about This Report from Gartner Defines the Software Supply Chain Security Market
This Report from Gartner Defines the Software Supply Chain Security Market
Mario Vuksan

Software Supply Chain Security Just Got Its Own Magic Quadrant — and RL Is In It 

SSCS is a footnote that grew up, moved out, and got its own report. 

Learn More about Software Supply Chain Security Just Got Its Own Magic Quadrant — and RL Is In It 
Software Supply Chain Security Just Got Its Own Magic Quadrant — and RL Is In It 
Mario Vuksan

Gartner® Named RL a Software Supply Chain Security Visionary. Here’s What We See Coming

The first Magic Quadrant™ for Software Supply Chain Security comes as, we feel, the demand for greater supply chain visibility explodes.

Learn More about Gartner® Named RL a Software Supply Chain Security Visionary. Here’s What We See Coming
Gartner® Named RL a Software Supply Chain Security Visionary. Here’s What We See Coming
2026-06-18_Forrester & RL Upcoming Webinar

Forrester Names RL in Agentic Development Security Market

The new landscape report maps 35 vendors addressing an emerging category of risk: AI agents writing insecure code at machine speed.

Learn More about Forrester Names RL in Agentic Development Security Market
Forrester Names RL in Agentic Development Security Market

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top