Phishing & Social Engineering
What is Device Code Phishing?
Device code phishing is a phishing technique that abuses the legitimate OAuth 2.0 device authorization grant flow to steal authentication tokens and compromise accounts.
Device code phishing is a phishing technique that abuses the legitimate OAuth 2.0 device authorization grant flow to steal authentication tokens and compromise accounts. The OAuth device code flow was designed for devices with limited input capabilities—such as smart TVs and IoT devices—where a user authenticates on a separate device (phone or computer) by entering a short code at a URL like microsoft.com/devicelogin. In a device code phishing attack, the attacker generates a device code using tools or APIs, socially engineers the victim into entering the code and authenticating on a legitimate login page, and then captures the resulting OAuth tokens—gaining full access to the victim's account and connected services without ever possessing the victim's credentials. The attack is particularly dangerous because all authentication happens on legitimate, trusted infrastructure, leaving no technical indicators for defenders to detect.
How does device code phishing work?
Device code phishing exploits the legitimate OAuth device authorization flow through a four-stage attack sequence. First, the attacker uses a tool (such as TokenTactics, Solenya, or direct API calls) to request a device code from Microsoft's OAuth endpoint. Critically, the attacker needs only the client_id of an existing OAuth application—this can be one of Microsoft's own first-party app IDs (such as Microsoft Authentication Broker), so no malicious app registration is required. This is a fundamental advantage because admin consent controls that block suspicious app registration have no effect on device code phishing.
Second, the attacker sends the victim a phishing email, Teams message, or other communication posing as a meeting invite, IT support request, or shared document request. The message directs the victim to visit microsoft.com/devicelogin (a legitimate Microsoft URL) and enter the provided device code. The attacker may create urgency by claiming the device code is required to access a calendar invite, shared file, or security update.
Third, the victim navigates to the legitimate Microsoft device login page, enters the code, and authenticates normally—including completing MFA if required. The victim sees the name of the OAuth application being authorized, but because attackers use legitimate Microsoft applications, this appears trustworthy and legitimate. To the victim, everything about the process appears completely normal and legitimate.
Fourth, after authentication completes, Microsoft issues access and refresh tokens. Because the attacker initiated the device code flow (they generated the code), the tokens are sent to the attacker's polling endpoint, not the victim's device. The attacker captures these tokens and uses them to access the victim's Microsoft 365 account (email, SharePoint, OneDrive, Teams, etc.) and any SSO-connected applications (Salesforce, Slack, and others). The refresh token allows persistent access that can last days to months depending on token lifetime policies.
This attack has several technical advantages for attackers. No malicious app registration is required, so admin consent controls are ineffective. The victim completes MFA during authentication, but the resulting token is captured by the attacker; future access via the token does not require MFA. Unlike consent phishing, the victim does not see or approve a detailed list of requested permission scopes, reducing suspicion. All authentication occurs on microsoft.com, so there are no fake login pages, no malicious URLs, and no attachments. The token can be used from a different device or location than where authentication occurred, potentially bypassing Conditional Access policies.
How does device code phishing differ from other token-based attacks?
Dimension | Device Code Phishing | Consent Phishing | Credential Phishing | AitM / Proxy Phishing |
|---|---|---|---|---|
What is Stolen | OAuth access + refresh token | OAuth app consent / token | Username + password | Session cookie / token |
Requires Malicious App Registration | No (uses legitimate/first-party apps) | Yes | No | No |
Victim Sees Permission Scopes | No | Yes (consent dialog) | No | No |
MFA Bypass | Yes—victim completes MFA, token captured | Yes—token-based access | No (unless combined with AitM) | Yes—real-time proxy |
Fake Login Page Required | No—uses legitimate microsoft.com | No—uses legitimate consent page | Yes | Yes (reverse proxy) |
Admin Consent Controls Effective | Limited—first-party apps used | Yes—can restrict user consent | N/A | N/A |
Detection via Sign-In Logs | Yes—"device code" auth protocol logged | Yes—consent grant events | Moderate | Difficult |
Persistence | Refresh token (long-lived) | Refresh token (long-lived) | Until password change | Session cookie lifetime |
Conditional Access Bypass | Partial (token usable from different device/location) | Partial | No | Partial |
Device code phishing differs critically from consent phishing. In consent phishing, the attacker registers a malicious OAuth app and tricks the victim into granting it permissions via a consent dialog. In device code phishing, no malicious app is registered—the attacker uses legitimate first-party Microsoft app IDs, and the victim never sees a permission consent screen. Consent phishing grants a third-party app access to the user's account; device code phishing steals the user's own authentication token. This makes device code phishing harder to block with admin consent policies because there is nothing suspicious in the app registration itself.
Device code phishing is harder to detect than consent phishing because the attack pattern is more obscure. Most employees are not familiar with the device code flow and cannot identify that entering a code at microsoft.com/devicelogin is unusual. In contrast, consent dialogs requesting broad permissions are increasingly recognized as suspicious by trained employees.
Why does device code phishing matter?
Device code phishing represents a critical emerging threat that has transitioned from limited, targeted attacks to widespread exploitation. According to Microsoft's Security Blog, "Storm-2372 conducts device code phishing campaign" (February 2025), the Russian-linked threat actor Storm-2372 has been conducting device code phishing since August 2024. As of February 2025, Microsoft revealed that Storm-2372 shifted to using the Microsoft Authentication Broker client ID specifically, making the attack harder to distinguish from legitimate device registrations.
By December 2025, device code phishing campaigns had become highly concentrated in specific regions and industries. According to Proofpoint and Infosecurity Magazine (December 2025), campaigns achieved 44%+ of victims in the US, notably targeting tech, manufacturing, and financial services sectors. This geographic and sectoral concentration suggests organized, focused attack campaigns rather than opportunistic phishing.
Multiple state-linked and financially motivated threat actors are actively exploiting device code phishing. Known actors include Storm-2372 (Russia-linked, active since August 2024), APT29 / Cozy Bear (Russia), UNK_AcademicFlare (suspected Russia-aligned, active since September 2025), and TA2723 (financially motivated, active since October 2025), according to Proofpoint (2025), Microsoft (2025), and Volexity (December 2025). China-aligned actors and other unattributed espionage campaigns have also been observed using device code phishing. UNK_AcademicFlare specifically has conducted device code phishing since at least September 2025 using compromised government and military email addresses to target US and European entities.
Proofpoint observed a "sharp increase" in device code phishing use by September 2025, representing a "significant shift from limited, targeted attacks to widespread exploitation." This timing coincides with the technique becoming more publicly documented and threat actors recognizing its effectiveness against Azure/Microsoft 365 environments where traditional defenses struggle.
What are the limitations of device code phishing attacks?
Device code phishing has several constraints. First, OAuth device codes expire quickly—typically within 15 minutes. The attacker must get the victim to authenticate before the code expires, creating time pressure and limiting the attack window. Second, device code phishing is only effective against OAuth 2.0 device code-enabled platforms, primarily Microsoft Entra ID / Azure AD and Google Cloud. It is not applicable to platforms that don't support device code flow.
Third, device code authentication is detectable in sign-in logs. Authentication via device code flow is logged with a specific protocol identifier ("device code") in Microsoft Entra sign-in logs. According to Bugcrowd (2024) and Microsoft (2025), monitoring for this is straightforward. Organizations that actively monitor sign-in logs for device code authentication can identify attacks quickly.
Fourth, Conditional Access policies can block device code authentication flows entirely or restrict them to specific users, devices, or locations, according to Microsoft Learn (2025). This is a highly effective mitigation that requires only policy configuration.
Fifth, the attack requires social engineering success. The victim must be convinced to visit the device login page and enter a code. This is an active step that can be defeated by awareness training and organizational policies against entering codes from unsolicited emails.
Sixth, token revocation is possible if the attack is detected. Compromised tokens can be revoked through the Microsoft Entra admin center, according to Microsoft (2025). Finally, the growing awareness of device code phishing since Microsoft's February 2025 disclosure of Storm-2372 is leading to increased defensive measures and threat intelligence sharing.
How can organizations defend against device code phishing?
The single most effective mitigation is blocking device code flow via Conditional Access policies. Organizations should create a Conditional Access policy using the "Authentication Flows" condition to block device code flow for all users, or restrict it to approved use cases only (specific users, operating systems, or named locations/IP ranges). According to Microsoft Learn, "Block authentication flows with Conditional Access policy" (2025), this is the primary recommended mitigation. This single policy can prevent device code phishing entirely.
Require compliant or Intune-registered devices for sign-ins. Conditional Access policies requiring sign-ins from compliant or Intune-registered devices will prevent device code phishing, since the attacker's polling device is not registered with the organization, according to Help Net Security (2025). This adds a technical barrier to post-compromise access.
Monitor sign-in logs actively for authentication events using "device code" protocol. Set up alerts for unexpected device code authentication, especially from unusual locations or user accounts. Investigate any device code sign-in immediately, as they should be rare in most enterprise environments. According to Bugcrowd (2024) and Microsoft (2025), this detection capability is straightforward to implement.
Reduce access token and refresh token lifetimes to limit the window of attacker access if tokens are stolen. Shorter-lived tokens mean attackers have less time to extract data or move laterally before tokens expire, according to Microsoft (2025). Many organizations can reduce token lifetimes from the default 60 minutes to 15-30 minutes without user experience degradation.
Revoke compromised tokens immediately upon detection. If a device code phishing attack is detected, immediately revoke all refresh tokens for the affected user via the Microsoft Entra admin center or PowerShell (Revoke-AzureADUserAllRefreshToken), according to Microsoft (2025). This terminates attacker access within seconds.
Conduct security awareness training specifically on device code phishing risks. Train users to be suspicious of any request to visit microsoft.com/devicelogin, especially when triggered by email or Teams messages. Educate employees that legitimate device code flows are typically only used for smart TVs, IoT devices, or similar limited-input scenarios. According to Proofpoint (2025), this specialized training is critical because device code flows are not well-understood by most employees.
While standard MFA doesn't prevent device code phishing (the victim completes MFA normally), phishing-resistant MFA methods like FIDO2 keys can add context that may help detect misuse, though specific effectiveness data is limited.
Disable device code flow for applications that don't need it. Most enterprise applications do not require device code authentication. According to Security Risk Advisors' "Purple Team PSA: Disable Device Code Flow" (2023), auditing and disabling unnecessary OAuth apps reduces overall attack surface.
FAQs
How does device code phishing bypass MFA?
The victim completes MFA normally on the legitimate Microsoft login page. The trick is that the resulting authentication tokens are sent to the attacker (who initiated the device code request), not the victim's device. Since future API access uses the token directly, MFA is never prompted again. The attacker obtains a token that is valid for accessing the victim's accounts without ever completing MFA again. This represents a fundamental security gap in the device code flow design when exploited maliciously.
What is the difference between device code phishing and consent phishing?
In consent phishing, the attacker registers a malicious OAuth app and tricks the victim into granting it permissions via a consent dialog. In device code phishing, no malicious app is registered—the attacker uses legitimate (often first-party Microsoft) app IDs, and the victim never sees a permission consent screen. Consent phishing grants a third-party app access; device code phishing steals the user's own authentication token. Device code phishing is harder to block with admin consent policies because there is nothing suspicious in the app registration. According to Push Security (2024) and Proofpoint (2025), device code phishing is also harder for most employees to recognize because the device code flow is unfamiliar.
Can device code phishing be blocked?
Yes. Microsoft Entra Conditional Access policies can block the device code authentication flow entirely using the "Authentication Flows" condition. Organizations can also restrict it to approved users, devices, or locations. This is the primary recommended mitigation and is highly effective. According to Microsoft Learn (2025), this policy-based approach is the most efficient defense.
Who is using device code phishing in the wild?
As of early 2026, known threat actors include Storm-2372 (Russia-linked, active since August 2024), APT29/Cozy Bear (Russia), UNK_AcademicFlare (suspected Russia-aligned, since September 2025), and TA2723 (financially motivated, since October 2025). China-aligned actors and other unattributed espionage campaigns have also been observed, according to Microsoft (2025), Proofpoint (2025), and Volexity (December 2025). The diversity of known actors suggests this technique has become widely known among threat actors and is rapidly being adopted.
Why don't traditional anti-phishing tools catch device code phishing?
Device code phishing emails contain no malicious links (the URL is legitimate microsoft.com/devicelogin), no malicious attachments, and no fake login pages. The authentication happens entirely on Microsoft's legitimate infrastructure. There is nothing technically malicious in the email or the login flow for traditional tools to flag. This is why Conditional Access policies and sign-in log monitoring are essential—they operate at the identity layer rather than the email layer, according to Proofpoint (2025) and Secureworks (2025).
