Notifications
Clear all
Topic starter
22/06/2026 10:18 am
TL;DR: Device code phishing abuses the OAuth device code flow so victims authenticate on Microsoft's real login page while attackers receive valid access tokens, and Microsoft says the technique has moved from STORM-2372 tradecraft to EvilTokens PhaaS in under a year. Access review cycles assume compromise looks like credential theft, but this pattern turns legitimate sign-in into token theft with little to inspect.
NHIMG editorial — based on content published by Silverfort: device code phishing and Microsoft Entra ID token abuse
By the numbers:
- The EvilTokens PhaaS toolkit runs 10 to 15 distinct campaigns every 24 hours.
Questions worth separating out
Q: How should security teams handle device code phishing when users complete real Microsoft MFA?
A: Treat it as a token abuse incident, not a password compromise.
Q: Why do device code phishing attacks bypass many standard phishing controls?
A: They use the real Microsoft login page, so there is no fake domain, no malicious payload, and no obvious infrastructure to block.
Q: What breaks when device code flow is left enabled for the broad workforce?
A: The organisation creates an unnecessary path for attackers to turn user approval into access tokens without capturing passwords.
Practitioner guidance
- Block device code flow for users without a documented business need Use Conditional Access to deny device code authentication for the broad workforce, then create narrow exceptions only for approved CLI, headless, or device-constrained workflows.
- Hunt non-interactive sign-ins after any suspicious device code approval Correlate successful device-code logins with later non-interactive token activity, unusual geography, and first-party client use such as Azure CLI or Microsoft Office.
- Treat token revocation and role removal as one containment step When device code phishing is suspected, revoke access, disable the account if required, remove role assignments, and review OAuth consents and recent device registrations.
What's in the full article
Silverfort's full analysis covers the operational detail this post intentionally leaves for the source:
- Hands-on Entra ID log captures showing the interactive and non-interactive sign-in legs of the attack
- KQL hunt queries for finding suspicious device code usage and later token activity
- Step-by-step containment actions for revoking access, removing role assignments, and reviewing OAuth consents
- Protocol-level explanation of how the device code flow behaves in Microsoft Entra ID
👉 Read Silverfort's analysis of device code phishing in Microsoft Entra ID →
Device code phishing in Entra ID: are your controls keeping up?
Explore further
22/06/2026 11:08 am
Device code phishing exposes a trust gap in Entra ID sign-in design, not just a phishing weakness. The protocol assumes the entity polling for the code is the same entity the user intended to authorise. That assumption breaks when an attacker initiates the flow and the victim completes MFA on the real login page. The implication is that identity programmes must stop treating successful sign-in as proof of intended access.
A few things that frame the scale:
- From our research: 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded.
A question worth separating out:
Q: Who is accountable when stolen tokens are used after a device code phishing incident?
A: Identity, IAM, and security operations all share accountability, because the incident crosses authentication policy, session response, and access governance. Microsoft guidance now supports blocking the flow where it is not needed, and teams should ensure their playbooks address token revocation, role removal, and non-interactive log review as mandatory steps.
👉 Read our full editorial: Device code phishing is exposing gaps in Microsoft Entra ID controls
