Device Code Phishing.

An identity attack that abuses the OAuth 2.0 device authorization grant: the attacker starts a device-code flow and lures the victim into typing the resulting code on a legitimate login page, granting the attacker tokens for the victim's account. Pertenece a la categoría de Ataques y amenazas en ciberseguridad.

An identity attack that abuses the OAuth 2.0 device authorization grant: the attacker starts a device-code flow and lures the victim into typing the resulting code on a legitimate login page, granting the attacker tokens for the victim's account.

Device code phishing weaponizes the RFC 8628 OAuth 2.0 device authorization grant, the same flow used by smart TVs, IoT devices, and CLI tools (Azure CLI, `az login --use-device-code`). The attacker initiates the flow against the target identity provider (typically Microsoft Entra ID), receiving a short user_code and a verification URL such as `https://microsoft.com/devicelogin`. They then send the victim a convincing message — meeting invite, IT-helpdesk request, support ticket — asking them to 'verify access' by visiting the (entirely legitimate) URL and entering the code. The victim authenticates with their real credentials and MFA, and the IdP issues tokens to the attacker's session, not the victim's device. Microsoft began throttling and warning on this flow in 2023–2024 and made device-code disable-by-default in some contexts in 2024 after Storm-2372 and Midnight Blizzard campaigns. Mitigations include disabling device code in Conditional Access for users who never need it, restricting it to specific managed clients, and educating users that no legitimate IT process requires them to type a code from an unsolicited message.

Las defensas contra Device Code Phishing combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.

Nombres alternativos comunes: Device authorization phishing, Storm-2372 technique.