Device Code Phishing
What is Device Code Phishing?
Device Code PhishingAn identity attack that abuses the OAuth 2.0 device authorization grant: the attacker starts a device-code flow and lures the victim into typing the resulting code on a legitimate login page, granting the attacker tokens for the victim's account.
Device code phishing weaponizes the RFC 8628 OAuth 2.0 device authorization grant, the same flow used by smart TVs, IoT devices, and CLI tools (Azure CLI, `az login --use-device-code`). The attacker initiates the flow against the target identity provider (typically Microsoft Entra ID), receiving a short user_code and a verification URL such as `https://microsoft.com/devicelogin`. They then send the victim a convincing message — meeting invite, IT-helpdesk request, support ticket — asking them to 'verify access' by visiting the (entirely legitimate) URL and entering the code. The victim authenticates with their real credentials and MFA, and the IdP issues tokens to the attacker's session, not the victim's device. Microsoft began throttling and warning on this flow in 2023–2024 and made device-code disable-by-default in some contexts in 2024 after Storm-2372 and Midnight Blizzard campaigns. Mitigations include disabling device code in Conditional Access for users who never need it, restricting it to specific managed clients, and educating users that no legitimate IT process requires them to type a code from an unsolicited message.
● Examples
- 01
A Storm-2372 operator messages a target on Teams, claims to be from IT, and asks them to verify access by entering a code at microsoft.com/devicelogin — granting the attacker an access token to the victim's mailbox and Teams.
- 02
An Entra ID Conditional Access policy blocks the device-code flow entirely for all users except a specific group of CLI users.
● Frequently asked questions
What is Device Code Phishing?
An identity attack that abuses the OAuth 2.0 device authorization grant: the attacker starts a device-code flow and lures the victim into typing the resulting code on a legitimate login page, granting the attacker tokens for the victim's account. It belongs to the Attacks & Threats category of cybersecurity.
What does Device Code Phishing mean?
An identity attack that abuses the OAuth 2.0 device authorization grant: the attacker starts a device-code flow and lures the victim into typing the resulting code on a legitimate login page, granting the attacker tokens for the victim's account.
How does Device Code Phishing work?
Device code phishing weaponizes the RFC 8628 OAuth 2.0 device authorization grant, the same flow used by smart TVs, IoT devices, and CLI tools (Azure CLI, `az login --use-device-code`). The attacker initiates the flow against the target identity provider (typically Microsoft Entra ID), receiving a short user_code and a verification URL such as `https://microsoft.com/devicelogin`. They then send the victim a convincing message — meeting invite, IT-helpdesk request, support ticket — asking them to 'verify access' by visiting the (entirely legitimate) URL and entering the code. The victim authenticates with their real credentials and MFA, and the IdP issues tokens to the attacker's session, not the victim's device. Microsoft began throttling and warning on this flow in 2023–2024 and made device-code disable-by-default in some contexts in 2024 after Storm-2372 and Midnight Blizzard campaigns. Mitigations include disabling device code in Conditional Access for users who never need it, restricting it to specific managed clients, and educating users that no legitimate IT process requires them to type a code from an unsolicited message.
How do you defend against Device Code Phishing?
Defences for Device Code Phishing typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Device Code Phishing?
Common alternative names include: Device authorization phishing, Storm-2372 technique.
● Related terms
- attacks№ 917
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
- identity-access№ 839
OAuth 2.0
An open authorization framework that lets a resource owner grant a third-party application limited, scoped access to an API without sharing credentials.
- attacks№ 840
OAuth Consent Phishing
An identity attack that abuses the OAuth consent flow: instead of stealing a password, the attacker tricks the victim into granting their malicious app standing permissions (mail.read, files.read.all) on the victim's tenant.
- attacks№ 011
Account Takeover (ATO)
An attack in which a criminal gains unauthorised control of a legitimate user account and uses it to steal funds, data, or commit further fraud.
- attacks№ 1182
Social Engineering
The psychological manipulation of people into performing actions or disclosing confidential information that benefits an attacker.
- attacks№ 1191
Spear Phishing
A targeted phishing attack tailored to a specific individual or organization using personal or professional details collected in advance.