OAuth Device Code Phishing: How Attackers Steal Tokens Without Passwords
Device code phishing is a token theft technique that exploits the OAuth 2.0 Device Authorization Grant, a flow legitimately designed for smart TVs, printers, and other input-constrained devices. The attack requires no malware, captures no passwords, and bypasses MFA entirely because the victim performs the authentication themselves on a legitimate Microsoft or Google login page. The attacker simply receives the resulting tokens.
Microsoft tracked threat group STORM-2372 conducting large-scale device code phishing campaigns throughout 2025, targeting government agencies, defense contractors, and enterprise organizations. The technique is now part of the standard playbook for nation-state and financially motivated threat actors operating against Microsoft 365 and Entra ID environments.
How the Device Authorization Grant Flow Works (and How It Gets Abused)
Understanding the attack requires understanding the legitimate flow first.
Legitimate device authorization flow:
- A device (smart TV, CLI tool, IoT device) that cannot display a browser requests authorization from an OAuth provider. It sends a request to the device authorization endpoint.
- The OAuth provider returns: a
device_code(server-side), auser_code(human-readable, e.g.,ABCD-EFGH), averification_uri(e.g.,microsoft.com/devicelogin), and an expiry (typically 15 minutes). - The device displays:
Visit microsoft.com/devicelogin and enter code ABCD-EFGH - The user opens the URL on another device (phone or computer), enters the code, and completes authentication including MFA.
- The device polls the token endpoint and, once the user completes authentication, receives the access token and refresh token.
How attackers abuse this flow:
- The attacker, not a device, initiates the device authorization request. They register an Azure AD application or use an existing Microsoft first-party application client ID (which has broad default permissions).
- The attacker receives the
user_codeandverification_uriand sends these to the victim via phishing email, Teams message, WhatsApp, or SMS. Common lures:Your Microsoft Teams session has expired. Go to microsoft.com/devicelogin and enter ABCD-EFGH to reconnect. - The victim, seeing a legitimate Microsoft URL, opens it on their work device, enters the code, and completes MFA as prompted.
- The attacker's polling request receives the access token and refresh token. From this point, the attacker has authenticated access to the victim's account without ever touching the victim's password or device.
Why MFA does not help: The victim completes MFA successfully as part of the device code flow. MFA proves that the person entering the code is who they claim to be. It does not validate who initiated the device authorization request. The attacker receives the tokens because they initiated the flow, not because they bypassed MFA.
Why this is worse than credential phishing: Traditional credential phishing captures a password and an MFA code (if using legacy MFA). Organizations can detect and respond by resetting the password. Device code phishing produces refresh tokens valid for up to 90 days in Entra ID default configuration. Even after the victim changes their password, the refresh token remains valid until it expires or is explicitly revoked. The attacker maintains persistent access.
Real-World Attack Campaigns and Threat Actor Usage
Device code phishing moved from proof-of-concept to active exploitation by well-resourced threat actors between 2024 and 2026.
STORM-2372 (Microsoft designation, 2025): Microsoft identified this threat group, assessed with moderate confidence to have ties to Russian state interests, conducting widespread device code phishing campaigns against government agencies, NGOs, and enterprises across Europe, North America, and Asia. The group sent phishing messages via Microsoft Teams, WhatsApp, and email impersonating Microsoft support. Targets were instructed to visit the legitimate microsoft.com/devicelogin URL and enter attacker-supplied codes. The group obtained access to Microsoft 365 email, Teams messages, SharePoint documents, and OneDrive content.
Cozy Bear / APT29 variations: APT29 has used device code phishing variants targeting government and diplomatic targets, as documented by Volexity and multiple national CERTs. The group combined device code phishing with Microsoft 365 API access to silently exfiltrate emails matching specific keywords without triggering traditional inbox rule alerts.
Financially motivated BEC campaigns: Device code phishing has been adopted by business email compromise (BEC) groups as a more persistent alternative to password spraying. After obtaining tokens, attackers access the victim's email, identify financial approval workflows, and insert themselves into wire transfer conversations. The 90-day refresh token window gives BEC actors weeks to execute the fraud without triggering re-authentication.
Expansion beyond Microsoft: The same technique applies to any OAuth provider that implements the Device Authorization Grant, including Google Workspace. Attacks against Google accounts have been documented targeting organizations that use Google Workspace for email and collaboration.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Detection: KQL Queries and Signals to Hunt For
Device code phishing leaves specific signals in Entra ID sign-in logs that differ from normal interactive authentication. The following Microsoft Sentinel KQL queries identify suspicious patterns.
Query 1: Device code sign-ins from unusual locations
SigninLogs
| where AuthenticationProtocol == "deviceCode"
| where ResultType == 0
| summarize
SignInCount = count(),
Locations = make_set(Location),
IPAddresses = make_set(IPAddress)
by UserPrincipalName, bin(TimeGenerated, 1h)
| where array_length(Locations) > 1
or SignInCount > 3
This detects accounts completing device code authentication from multiple geographic locations within an hour, or with unusually high frequency.
Query 2: Device code sign-in followed by API-based mail access
SigninLogs
| where AuthenticationProtocol == "deviceCode" and ResultType == 0
| join kind=inner (
OfficeActivity
| where Operation in ("MailItemsAccessed", "SearchQueryInitiated")
| where ClientInfoString has "REST"
) on $left.UserPrincipalName == $right.UserId
| where OfficeActivity.TimeGenerated between (
SigninLogs.TimeGenerated .. SigninLogs.TimeGenerated + 1h
)
| project UserPrincipalName, SignInTime=TimeGenerated,
MailAccessTime=OfficeActivity.TimeGenerated,
Operation, IPAddress
This correlates device code authentication with programmatic REST API mail access in the following hour, a common post-exploitation pattern.
Query 3: Impossible travel following device code authentication
SigninLogs
| where AuthenticationProtocol == "deviceCode"
| order by UserPrincipalName, TimeGenerated asc
| extend PrevLocation = prev(Location),
PrevTime = prev(TimeGenerated),
PrevUser = prev(UserPrincipalName)
| where UserPrincipalName == PrevUser
| where Location != PrevLocation
| where datetime_diff('hour', TimeGenerated, PrevTime) < 6
Alert on device code authentication for high-value accounts: For privileged accounts (Global Admin, Security Admin, Exchange Admin, Privileged Role Administrator), alert on any device code authentication attempt, successful or failed. Legitimate device code usage by privileged accounts is rare and should always be investigated.
Prevention Controls: Blocking Device Code Phishing
Several controls in Entra ID and Microsoft 365 directly reduce device code phishing risk. Implement them in order of effectiveness.
Block device code authentication flow via Conditional Access
Microsoft added Conditional Access support for filtering by authentication flow in 2024. Create a Conditional Access policy: Assignments: All users (or targeted high-risk groups); Conditions: Authentication flows = Device code flow; Grant: Block access. This prevents device code authentication entirely for covered users. The tradeoff: legitimate device code use cases (some CLIs, IoT tools) will break. Audit device code usage first to identify legitimate use before blocking. For privileged accounts, block unconditionally.
Restrict device code flow to managed devices only
If blocking device code entirely is not feasible, restrict it to Entra ID joined or Intune-compliant devices. Create a Conditional Access policy requiring device compliance as a condition for device code flow. This does not eliminate the attack (an attacker-initiated code can still be entered from a managed device) but significantly raises the bar because the victim must be on a managed endpoint.
Apply Conditional Access to restrict token lifetime and refresh token reuse
Configure Token Protection (preview as of 2026) in Conditional Access to bind refresh tokens to the specific device and session that generated them. A token stolen by an attacker becomes unusable on a different device. Also configure sign-in frequency to require re-authentication for sensitive resources (SharePoint, Exchange) every 8-24 hours, limiting the window in which stolen refresh tokens are useful.
Deploy phishing-resistant MFA (FIDO2 or Certificate-Based Auth)
While phishing-resistant MFA does not prevent device code phishing directly (the victim still completes authentication), it reduces the overall credential attack surface and is a prerequisite for future Conditional Access controls that tie authentication strength to session risk. Organizations fully deployed on FIDO2 passkeys also benefit from browser-level origin checking that makes traditional credential phishing impossible in parallel.
User awareness training specifically on device code lures
Train users on the specific device code phishing lure pattern: unsolicited messages (email, Teams, WhatsApp) asking them to visit microsoft.com/devicelogin or accounts.google.com/device and enter a code. Emphasize that this request pattern is a phishing indicator when it arrives unsolicited. Users who initiate a device code flow themselves (e.g., setting up a CLI tool) should not be concerned, but unsolicited codes should be reported to the security team immediately.
Monitor and alert on application consent grants
Device code phishing often involves the attacker registering a multi-tenant Azure AD application and using its client ID in the device authorization request. Monitor for consent grant events where users approve permissions for third-party applications. Alert on: new application consent by non-admin users, consent grants to applications requesting Mail.Read, Mail.ReadWrite, Calendars.Read, or Files.Read.All permissions, and consent grants from applications registered in foreign tenants.
Incident Response: What to Do When Device Code Phishing Succeeds
If you detect a device code phishing compromise, the response must address token persistence, not just account credentials.
Step 1: Revoke all refresh tokens for the affected account. In Entra ID: Revoke-AzureADUserAllRefreshTokens -UserId user@domain.com or via the Microsoft 365 admin portal: Users > Select user > Sign out. This invalidates all refresh tokens immediately, ending the attacker's session. Note: this also signs the legitimate user out of all sessions.
Step 2: Review and revoke OAuth application consents. In Entra ID admin portal, navigate to the affected user's account and review App registrations and consented permissions. Revoke consent for any applications the user did not intentionally authorize. Look for applications registered in external tenants.
Step 3: Review mail access and exfiltration. Pull Unified Audit Log entries for the affected account for the period from the device code sign-in to revocation. Look for MailItemsAccessed events with REST client strings, SearchQueryInitiated events (indicating keyword searches of the mailbox), and unusual file access in SharePoint or OneDrive.
Step 4: Check for inbox rules and forwarding. Attackers frequently create inbox rules to forward emails or hide their activity. Review mail forwarding rules and inbox rules for the compromised account. Also check for new applications with delegated permissions to the account.
Step 5: Assess blast radius. If the compromised account had access to sensitive data (financial systems, HR data, M&A documents, executive communications), assess what was accessed and notify legal and privacy teams for potential breach notification obligations.
The bottom line
Device code phishing is effective because it abuses a legitimate protocol, requires no malware, and produces tokens that persist long after the initial compromise. The definitive prevention control is a Conditional Access policy that blocks the device authorization flow for users who do not have a legitimate business need for it. For organizations where blocking is not immediately feasible, combining strict token lifetime policies, phishing-resistant MFA, and specific detection queries gives defenders a fighting chance. Given that refresh tokens are valid for up to 90 days by default, every day without controls is a day an attacker could be silently maintaining access.
Frequently asked questions
Does phishing-resistant MFA (FIDO2 or passkeys) prevent device code phishing?
Not directly. Device code phishing does not capture credentials or TOTP codes. The victim completes authentication, including MFA, successfully on a legitimate login page. Phishing-resistant MFA prevents credential phishing and AiTM proxy attacks but does not block device code phishing because the authentication itself is legitimate. The prevention control for device code phishing is blocking or restricting the device authorization flow via Conditional Access, not the choice of MFA method.
How long does a stolen refresh token remain valid?
In Entra ID default configuration, refresh tokens are valid for 90 days of inactivity. As long as the attacker uses the refresh token at least once every 90 days, they can continuously obtain new access tokens. If token protection is not enabled, the refresh token is also device-agnostic and can be used from any device or IP address. This is why revoking refresh tokens immediately upon detecting compromise is critical, not just resetting the password.
What are the legitimate use cases for the OAuth device authorization flow?
The device code flow was designed for: smart TVs and streaming devices (signing into Netflix or YouTube on a TV using a phone), CLI tools and developer tools (Azure CLI, AWS CLI, GitHub CLI authenticate using device code flow), network printers and scanners, IoT devices without keyboards, and gaming consoles. Before blocking the flow via Conditional Access, audit which users and applications currently use it legitimately. Most enterprise users have no legitimate need for device code authentication from their laptops.
How do attackers initiate the device code flow? Do they need an Azure app registration?
Attackers can use Microsoft's own first-party application client IDs (Microsoft Office, Microsoft Teams, Azure PowerShell) which have broad default delegated permissions and do not require attacker-controlled app registration. This means there is no consent prompt for the victim to approve when using well-known client IDs, making the flow look identical to a legitimate Microsoft tool authentication. Detecting attacker-controlled custom app registrations is easier than detecting abuse of first-party client IDs.
Can device code phishing be used against Google Workspace?
Yes. Google's OAuth implementation supports the Device Authorization Grant (RFC 8628) for Google accounts. Device code phishing attacks against Google Workspace are documented, particularly targeting organizations in the technology and academic sectors. The same detection and prevention principles apply: monitor for device flow authentication in Google Workspace audit logs, restrict device authorization in Google Workspace Admin console, and train users to treat unsolicited device code requests as phishing indicators.
What Microsoft Sentinel or Defender alerts detect device code phishing?
Microsoft Sentinel has built-in analytics rules: 'Sign-ins using the device code grant flow detected' under the Identity category. Microsoft Entra ID Protection also generates risk signals for 'Anomalous token' when refresh tokens are used from different devices or locations than where they were issued. Enable both and create playbooks that automatically revoke sessions for high-risk device code sign-in alerts. Supplement with the custom KQL queries covering impossible travel and API mail access correlation described in this guide.
Is this the same as OAuth consent phishing?
Related but distinct. OAuth consent phishing tricks a victim into approving permission grants for a malicious app in Azure AD, giving the attacker an application token. Device code phishing tricks the victim into completing the device authorization flow, giving the attacker a user delegation token. Device code phishing is harder to detect because it uses legitimate Microsoft flows and does not require the victim to approve unfamiliar application permissions. Both attacks result in persistent token-based access; device code phishing is more recent and currently less well-defended.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.