Device Code Phishing: Abusing Legitimate Microsoft 365 Authentication

In device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to. This technique could enable persistent access as long as the tokens remain valid, making this attack technique attractive to threat actors. This works because they’re abusing Microsoft’s legitimate OAuth device flow.

How it works

The attacker generates a legitimate device code request and tricks the victim into entering it on a real Microsoft sign-in page (microsoft.com/devicelogin) and because this is Microsoft’s real infrastructure, it passes SPF, DKIM, DMARC, and secure email gateway checks.

When the targeted person enters the code, they will be prompted to log in with their credentials and complete any MFA verifications, just as they normally would when logging in. After authenticating, Microsoft displays the name of the OAuth application that was authorised.

This action issues valid access and refresh tokens to the attacker, allowing them to access the victim’s account and related services (e.g., email or cloud storage) without needing a password. Access persists as long as the tokens remain valid, enabling potential lateral movement within the environment.

How to Protect Your Organization

1. Restrict Device Code Flow: Administrators are also recommended to turn off the device code flow option when not required and to enforce conditional access policies.

2. Harden Conditional Access: Require compliant devices, trusted locations, and phishing-resistant MFA (e.g., FIDO2 keys).

3. Employee Awareness: Users should never enter a login code unless they initiated the request themselves. If unsure, report.