Device Code Phishing.

An identity attack that abuses the OAuth 2.0 device authorization grant: the attacker starts a device-code flow and lures the victim into typing the resulting code on a legitimate login page, granting the attacker tokens for the victim's account. サイバーセキュリティの 攻撃と脅威 カテゴリに属します。

An identity attack that abuses the OAuth 2.0 device authorization grant: the attacker starts a device-code flow and lures the victim into typing the resulting code on a legitimate login page, granting the attacker tokens for the victim's account.

Device code phishing weaponizes the RFC 8628 OAuth 2.0 device authorization grant, the same flow used by smart TVs, IoT devices, and CLI tools (Azure CLI, `az login --use-device-code`). The attacker initiates the flow against the target identity provider (typically Microsoft Entra ID), receiving a short user_code and a verification URL such as `https://microsoft.com/devicelogin`. They then send the victim a convincing message — meeting invite, IT-helpdesk request, support ticket — asking them to 'verify access' by visiting the (entirely legitimate) URL and entering the code. The victim authenticates with their real credentials and MFA, and the IdP issues tokens to the attacker's session, not the victim's device. Microsoft began throttling and warning on this flow in 2023–2024 and made device-code disable-by-default in some contexts in 2024 after Storm-2372 and Midnight Blizzard campaigns. Mitigations include disabling device code in Conditional Access for users who never need it, restricting it to specific managed clients, and educating users that no legitimate IT process requires them to type a code from an unsolicited message.

Device Code Phishing に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

一般的な別名: Device authorization phishing, Storm-2372 technique。