This threat might not be on everyone’s radar yet, but it is one you cannot afford to ignore. Device Code Phishing is a new attack method that lets cybercriminals bypass your security defenses without ever needing your password.
The attack takes advantage of a legitimate authentication process that many businesses use to streamline device logins. It is simple. The attacker sends the victim to a trusted login page, where they enter a device code. Everything looks normal. But behind the scenes, they are giving the attacker full access to their account.
Once you understand how it works, it will be clear why this technique is so dangerous and how to defend against it. Let us break it down.
How This Scam Works
Device code authentication is commonly used in enterprise environments to allow users to sign in from input-constrained devices that cannot perform interactive authentication, such as devices without full web browsers. In this flow, the user is asked to visit a legitimate URL (for example, microsoft.com/devicelogin) and enter a numeric or alphanumeric code to authenticate their session. While this is designed to simplify authentication, it has become a prime target for attackers.
In a device code phishing attack, the threat actor generates a valid device code and tricks the victim into entering it on a legitimate sign-in page. Since the process appears legitimate and uses trusted authentication mechanisms, the victim does not suspect any wrongdoing.
Once the victim enters the code, the attacker gains access by capturing the resulting authentication tokens, both access and refresh tokens. These tokens are key to accessing the target’s accounts and data. The attacker can use these tokens to gain unauthorized access to other connected services where the user has permissions, such as email, cloud storage, or internal applications, without needing the user’s password or multi-factor authentication (MFA).
The attack is particularly dangerous because the tokens remain valid until they expire, allowing the attacker to maintain persistent access. Furthermore, the attacker can use the valid access tokens to move laterally within the organization, compromising additional systems and data as long as the tokens remain active.
It’s Already Happening
We’re seeing this in live attacks. Social engineering groups are using fake QR codes, malicious mobile apps, or phishing pages that prompt the user to “verify their account” using a device code. The user, thinking everything is fine, logs in, and the attacker gets in the back door.
One of the most prominent examples of this tactic is the Storm-2372 campaign. Since August 2024, this group has been actively targeting Microsoft accounts across multiple sectors using device code phishing. By exploiting the device code authentication flow, attackers are able to capture authentication tokens and gain unauthorized access to accounts without needing the user’s password or multi-factor authentication (MFA). This campaign has affected a wide range of organizations, including governments and NGOs, across multiple regions.
To be clear, this isn’t a vulnerability. It’s an abuse of an allowed feature in most cloud environments. That’s what makes it so hard to detect.
You’ll see a legitimate login in your logs. It’s the user’s IP. It’s the user’s MFA. But it’s the attacker sitting behind the session.
What This Means for You
If you’re leading security for your organisation, this should be a wake-up call. Your MFA, conditional access, SSO? They can all be bypassed if the attacker convinces one person to complete a login flow they didn’t start.
Let me say it another way. Attackers don’t need to compromise your infrastructure if they can socially engineer your users into handing it over. This is the exact kind of scenario we prepare for with security awareness training. Because your people are the last line of defense and often the first target.
Here’s What You Can Do Right Now
This isn’t hard to fix if you’re proactive. Start with this checklist:
- Turn off device code flows in Azure AD, Okta, or whatever IdP you’re using, unless you absolutely need them.
- Audit your logs for “device code” grant types. If you’re seeing this and nobody’s using smart devices or command-line tools, you’ve got a problem.
- Update your training materials to include device code phishing. Your users need to know if they didn’t start it, they shouldn’t complete it.
- Implement strict conditional access rules. Require known devices, managed endpoints, or geofencing to limit abuse.
- Run internal phishing simulations using scenarios like this. Show your employees what this looks like before the bad guys do.
This is the kind of threat that slips through the cracks. And when it does, it becomes a costly incident.
Train the Human Firewall
At the end of the day, attackers keep finding new ways to abuse trust. Device Code Phishing is just the latest tool in the toolbox. It works because people trust what looks familiar. But that trust is exactly what needs to be trained and tested.
Your technical defenses matter, but they’ll never be perfect. The real edge comes when your users know what to look for and when to hit the brakes.
You’ve invested in security infrastructure. Now invest in your people.
If you want help rolling out security awareness modules, simulated attacks, or strengthening your defenses against this method, our phishing protection service has you covered. We’ve got the content and tools ready to go. Stay ahead of this. The bad guys already are.
