Device Code Phishing Campaign: How Attackers Bypass MFA in 2026

The Email That Looked Perfectly Legitimate

A senior analyst at a European think tank received a message on Signal. It appeared to come from a well-known diplomat, someone he'd corresponded with before. The message invited him to an upcoming online conference and shared a link to review the agenda. He clicked, was asked to enter a short code to access the document, followed the familiar looking Microsoft login, and then moved on with his day.

He had just handed an adversary persistent access to his Microsoft 365 account. No password was stolen. No malware was installed. MFA didn't save him. The attacker was already inside, reading his emails, accessing sensitive policy documents, and using his trusted account to target his colleagues.

This is device code phishing. It's not theoretical. It's active right now, and it's being used by some of the most sophisticated threat actors in the world.

What Is Device Code Phishing?

To understand the attack, you first need to understand the legitimate problem it exploits.

Imagine you want to sign into Netflix on a smart TV. The TV has no keyboard, no easy way to type a complex password and MFA code. So Netflix gives you a short code, lets say, ABCD1234 and tells you to visit a website on your phone or laptop, enter the code, and log in there. Your TV then gets access automatically. That short code is the "device code" and this workflow is called the OAuth Device Authorization Grant flow (also known as device code flow). It was designed for convenience on input-limited devices like smart TVs, printers, and IoT gadgets.

The security flaw: nothing in this flow verifies that the device waiting for authentication actually belongs to you. If an attacker can trick you into entering their device code into Microsoft's legitimate sign-in page, they receive the access token, not your device. You've authenticated to their session!

That's device code phishing in plain English. The attacker generates the code. You unknowingly authorize it. They get in.

What makes this so dangerous is that MFA doesn't stop it. You complete MFA successfully, you're just completing it for the attacker's session. No phishing website mimicking Microsoft is needed. No credential harvesting. The attacker abuses a legitimate, trusted workflow designed to make your life easier.

How a Device Code Phishing Attack Works

1. Rapport Building

   1. The attacker contacts the target via email, Signal, WhatsApp, LinkedIn, or Microsoft Teams. They impersonate a trusted person, could be a colleague, a government official, a conference organizer. The initial contact is benign, designed to build credibility before the actual attack.

2. The Lure

   1. After trust is established, the attacker sends a meeting invitation or a link to a shared document. The message creates urgency or relevance in form of a salary report, a conference agenda, a government briefing etc.

3. Device Code Generation

   1. Behind the scenes, the attacker initiates an OAuth device authorization request to Microsoft's identity platform using a legitimate client ID. Microsoft returns:

      1. A device code: a longer, secret token the attacker holds

      2. A verification URL: https://microsoft.com/devicelogin (the real Microsoft site)

      3. An expiration window: typically 15 minutes

4. Victim Interaction

   1. The victim clicks the link and is directed to Microsoft's legitimate authentication page. They enter the user code provided in the lure message, complete their normal sign-in including MFA, and believe they've accessed a shared document.

5. Token Capture

   1. Microsoft pairs the user code to the device code. Since the attacker is polling Microsoft's token endpoint with their device code, they receive the victim's access token and refresh token the moment authentication completes.

6. Persistent Access

   1. With a valid refresh token, the attacker maintains access even after the original access token expires. They can read emails, access SharePoint, Teams messages, OneDrive files and use the compromised account to launch phishing attacks against the victim's contacts from a trusted internal address.

SOC Workflow: Incident Response for Device Code Phishing

• Detect: Alert fires on device code authentication from an anomalous IP or location or device, or from a user who doesn't own input-limited devices

• Contain: Immediately revoke all refresh tokens via Entra ID: Revoke-AzureADUserAllRefreshToken or via the portal under the user's Authentication Methods

• Investigate: Review the user's sign-in logs for the 15-minute window around the device code authentication, identify what was accessed (email, OneDrive, Teams)

• Scope: Check if the compromised account sent further phishing messages internally as this is a common lateral movement technique

• Remediate: Force password reset, re-enroll MFA, review and revoke any OAuth app consents granted during the session

Device code phishing is a masterclass in attacker creativity. The fact that it requires no malware, no credential harvesting, and produces no phishing website for email filters to catch makes it one of the most operationally elegant attack techniques active today.

The uncomfortable truth is that MFA which is the security control that most organizations treat as a near-complete solution to credential theft, does nothing here. As threat actors continue evolving toward passwordless phishing techniques that abuse legitimate authentication infrastructure, defenders have to evolve alongside them. The perimeter has moved to identity, and identity requires its own defense in depth.

Block device code flow. Enforce phishing-resistant MFA. Hunt in your sign-in logs. The logs are already telling you the story, the question is whether your SOC is listening!?

Happy cyber-exploration! 🚀🔒

Note: Feel free to drop your thoughts in the comments below - whether it's feedback, a topic you'd love to see covered, or just to say hi! Don't forget to join the forum for more engaging discussions and stay updated with the latest blog posts. Let's keep the conversation going and make cybersecurity a community effort!

-AJ