web analytics

Beware of Device Code Phishing – Source: www.darkreading.com

beware-of-device-code-phishing-–-source:-wwwdarkreading.com
Rate this post

Source: www.darkreading.com – Author: Stu Sjouwerman

Stu Sjouwerman, Founder & Executive Chairman, KnowBe4, Inc.

June 4, 2025

5 Min Read

Fish hook on a digital background

Source: Andrea Danti via Alamy Stock Photo

COMMENTARY

Device codes are alphanumeric or numeric codes employed for authenticating an account on a device that does not have a standard login interface, such as a browser or input-limited devices, where it is not practical to require the user to enter text to authenticate. Such use cases include Internet of Things (IoT) devices, streaming apps like Netflix and Apple TV, and cloud applications. Device code authentication specifically binds authentication to a particular device.

How Attackers Use Device Code Phishing

Threat actors manipulate an application or service to generate a device code on their device and then deceive victims into entering the compromised device code for the attacker’s device through a legitimate authentication page of the service. This deception typically occurs through emails that seem to be from IT support, Microsoft Teams meeting invites, or other messages marked as “urgent.”

How Attackers Exploit Device Code Phishing

After the victim accesses the authentication page and inputs the code, they are requested to authenticate with their real credentials and multifactor authentication (MFA). After a successful sign-up, the service provider grants access and refresh tokens. The attacker steals these tokens to gain unauthorized access to the victim’s account, permitting lateral movement in the environment to access other services linked to the user without requiring a password.

Related:Victoria’s Secret Delays Earnings Call Due to Cyber Incident

Traditional phishing scams involving stolen usernames and passwords can be countered with MFA and conditional access policies. Device code phishing, however, relies on a stolen authenticated token, so the attacker does not need to meet conditional access controls or present MFA credentials to gain access to the victim’s account. The additional benefit of refresh tokens is that they allow attackers persistent access to victim accounts even after the initial authentication.

Why Device Code Phishing Is Growing in Popularity Among Attackers

Device code phishing is particularly dangerous because the technique doesn’t involve any malicious links or attachments that the victims must click for the attack to progress to the next level. Victims are required to input the device code and credentials into a legitimate login page, a method that makes it more challenging to recognize as an attack.

The attack is mostly successful because it is based exclusively on user habits. Individuals have grown used to authentication prompts from collaboration tools such as Microsoft Teams, so they will not normally question a request for authentication via device code.

Related:Exploitation Risk Grows for Critical Cisco Bug

Examples of Device Code Phishing Attacks

We have witnessed some high-profile device code phishing attacks and vulnerabilities in recent years. Some of these include:

The Russian state-sponsored cyber-espionage group APT29, or Cozy Bear, is affiliated with the Foreign Intelligence Service (SVR) that has been actively exploiting Microsoft Azure environments using malicious OAuth device code phishing. By deceiving victims into inadvertently authenticating the attacker’s device, APT29 exploited this technique to enter diplomatic organizations and corporations, reaping information without raising standard security alerts.

The Storm-2372 campaign is a device code phishing attack conducted by a Russia-linked threat actor to target governments, NGOs, and various industries in different regions since August 2024. The campaign attacks Microsoft Entra ID and other authentication services. Attackers send fake Microsoft Teams meeting invites or impersonate platforms such as WhatsApp (and Signal) to trick victims into creating a device code that is abused by malicious actors.

Mitigation Strategies Used Against Device Code Phishing

  1. User training: User training is still the best defense against social engineering attacks. Device code phishing scenarios should be added to simulated phishing campaigns to assess employee susceptibility and enhance overall resilience. Employees can be trained never to authorize unknown devices, identify phishing attempts requesting authentication outside the anticipated workflows, and report or confirm unusual authentication requests with IT before acting. Effective training can equip users to be aware of unexpected requests to approve a device code, especially if they did not initiate any process that requires this code. It is uncommon for users to approve a device code sent to them without having attempted to log in to a service on a new device first, where a device code would typically be requested.

  2. Enforce conditional access: Conditional access policies can block or prevent logins from unknown locations or devices, or following repeated failed attempts. They must be set to enforce device compliance requirements, geolocation restrictions to block sign-in from unexpected areas, application control policies to block access from unauthorized applications or non-corporate browsers, and risk-based authentication that requires additional verification when sign-in behavior is outside a user’s typical patterns.

  3. Track OAuth activity: Leverage products such as Microsoft Defender for Cloud Apps, which offers rich visibility into OAuth token issuances, enabling organizations to detect anomalies such as unexpected consent grants, suspicious application activity, and unauthorized access attempts.

  4. Enforce least privilege access: Examine and limit the scope of OAuth to ensure applications receive only the most needed permissions. Routine audits of OAuth-linked applications can remove unneeded or high-risk third-party integrations.

  5. Revoke unused OAuth tokens: Set OAuth tokens to expire after a brief duration to reduce the threat of long-term unauthorized access. Workflows can be configured to detect inactive or stale tokens and automatically revoke them. Require users to reauthenticate from time to time to prevent unauthorized persistence.

Related:Critical Bugs Could Spark Takeover of Widely Used Fire Safety OT/ICS Platform

(The five mitigations listed above primarily apply to Microsoft 365 platforms and/or sites and services that utilize OAuth, but not necessarily to all apps and services that use device codes.)

Conclusion

Unlike conventional credential harvest phishing, where victims must go to a phishing site before an attacker can harvest credentials, device code phishing merely asks victims to enter a code on a valid Microsoft page — something they are already trained to do in valid authentication processes, leading users to enter valid device codes that link the hacker’s device with their account. Countermeasures such as imposing conditional access, auditing OAuth activity, and educating users about unsolicited authentication requests can significantly reduce the risk. Even though device codes increase convenience, their vulnerability to phishing highlights the importance of robust authentication measures.

About the Author

Stu Sjouwerman

Founder & Executive Chairman, KnowBe4, Inc.

Stu Sjouwerman (pronounced “shower-man”) is founder and executive chairman of KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management with over 70,000 customers and more than 60 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, he was co-founder of Sunbelt Software, the anti-malware software company that was acquired in 2010. He is the author of four books, including Cyberheist: The Biggest Financial Threat Facing American Businesses.

Original Post URL: https://www.darkreading.com/vulnerabilities-threats/beware-device-code-phishing

Category & Tags: –

Views: 7

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Practical DevSecOps
API Security Fundamentals – Your Handy Guide to Building an Unhackable System by practical-devsecops.com
API Security Fundamentals – Your...
Marcos Jaimovich
Nuevo Firewall para IA , un Cacharro nuevo para nuestro SOC y los equipos de Ciberseguridad !
Nuevo Firewall para IA ,...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos