Device Code Phishing.

An identity attack that abuses the OAuth 2.0 device authorization grant: the attacker starts a device-code flow and lures the victim into typing the resulting code on a legitimate login page, granting the attacker tokens for the victim's account. 它属于网络安全的 攻击与威胁 分类。

An identity attack that abuses the OAuth 2.0 device authorization grant: the attacker starts a device-code flow and lures the victim into typing the resulting code on a legitimate login page, granting the attacker tokens for the victim's account.

Device code phishing weaponizes the RFC 8628 OAuth 2.0 device authorization grant, the same flow used by smart TVs, IoT devices, and CLI tools (Azure CLI, `az login --use-device-code`). The attacker initiates the flow against the target identity provider (typically Microsoft Entra ID), receiving a short user_code and a verification URL such as `https://microsoft.com/devicelogin`. They then send the victim a convincing message — meeting invite, IT-helpdesk request, support ticket — asking them to 'verify access' by visiting the (entirely legitimate) URL and entering the code. The victim authenticates with their real credentials and MFA, and the IdP issues tokens to the attacker's session, not the victim's device. Microsoft began throttling and warning on this flow in 2023–2024 and made device-code disable-by-default in some contexts in 2024 after Storm-2372 and Midnight Blizzard campaigns. Mitigations include disabling device code in Conditional Access for users who never need it, restricting it to specific managed clients, and educating users that no legitimate IT process requires them to type a code from an unsolicited message.

针对 Device Code Phishing 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: Device authorization phishing, Storm-2372 technique。