Device Code Phishing
Status: Scaffold — content in progress
ATT&CK: T1528 — Steal Application Access Token
Platforms: Azure / Entra ID / Any OAuth2 IdP supporting Device Code
Severity: Critical
What It Exploits
The OAuth2 Device Authorization Grant (RFC 8628) is designed for devices without browsers (smart TVs, CLI tools). The flow provides a user_code and a verification URL. The attacker weaponizes this: they initiate the flow themselves, then send the code to the victim via phishing, asking them to "authenticate" or "verify" something. Once the victim authenticates at the URL, the attacker's polling loop receives OAuth tokens.
Key property: No credentials are captured. The victim performs their own authentication (including MFA). The attacker gets a valid, MFA-satisfied access token + refresh token.
Attack Flow
# 1. Attacker initiates device code flow
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/devicecode
Body: client_id=<client_id>&scope=openid profile offline_access
# Response includes:
{
"device_code": "LONG_DEVICE_CODE",
"user_code": "XXXX-XXXX",
"verification_uri": "https://microsoft.com/devicelogin"
}
# 2. Attacker sends victim a phishing email:
# "Please authenticate at https://microsoft.com/devicelogin with code XXXX-XXXX"
# 3. Victim authenticates (including MFA)
# 4. Attacker polls for token
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Body: grant_type=urn:ietf:params:oauth:grant-type:device_code&device_code=<code>
# 5. Receive access_token + refresh_token
CTI Examples
Storm-0558 (China-attributed) and multiple financially motivated groups have used device code phishing in targeted campaigns against Microsoft 365 users.
Evidence label: Reported | Confidence: High | Source reliability: B1 (Microsoft MSTIC reporting)
Midnight Blizzard (APT29/Cozy Bear): reported use of device code phishing against NGOs, government, and tech sector.
Evidence label: Reported | Confidence: High | Source reliability: B1
Why It's Dangerous
- Bypasses MFA (victim performs MFA themselves)
- No malicious payload — just a URL
- Tokens work from any IP (no device binding without CAE)
- Refresh token provides long-term persistence
Behavioral Indicators
- Sign-in log:
authenticationProtocol = deviceCode - Token request from unfamiliar IP immediately after successful device code auth
clientAppUsed = BrowserbutdeviceDetail.isCompliant = nullor unfamiliar device- Device code flow used for a user who never normally uses it
Mitigations
- Block device code flow via Conditional Access (if not needed for legitimate use cases)
- Continuous Access Evaluation (CAE) — token revocation on policy change
- User education — device codes should only be used when YOU initiated the flow
Tools
# ROADtools
roadtx device-code -c <client_id> -r https://graph.microsoft.com
Cross-Links
| Topic | Link |
|---|---|
| OAuth2 Protocol | oauth2 |
| Detection | detect-device-code-phishing |
| Cloud Identity Takeover Scenario | cloud-identity-takeover |