What Is Device Code Phishing?
Device code phishing is a cyberattack that abuses a legitimate Microsoft authentication flow to steal access tokens — without ever asking for a password. Instead of directing victims to a fake login page, attackers trick them into entering a real authentication code on a real Microsoft website, unknowingly authorizing the attacker’s session in the process.
The result is a valid Microsoft 365 token in the attacker’s hands — granting persistent access to email, files, and cloud applications with no password stolen, no MFA challenge triggered, and nothing that looks suspicious to the victim.
Device code phishing has moved from a niche red team technique to a mainstream attack method. In early 2026, a single Phishing-as-a-Service campaign called EvilTokens compromised more than 340 organizations across five countries in a matter of weeks — with AI-generated lures so personalized that no two phishing messages were identical.
How Does Device Code Phishing Work?
Device code phishing exploits the OAuth 2.0 Device Authorization Grant — a legitimate authentication flow originally designed for input-constrained devices like smart TVs, printers, and CLI tools that can’t display a traditional browser login. Here’s how attackers weaponize it:
- The attacker initiates the flow. Instead of waiting for a victim to start a login, the attacker triggers the device code authentication process themselves, generating a real, time-limited code from Microsoft.
- The lure is delivered. The victim receives a phishing message — via email, Teams, or SMS — that looks like a routine IT request, document share, or meeting invitation. The message includes the device code and instructions to visit the real Microsoft device login page (microsoft.com/devicelogin).
- The victim completes the authentication. Because the page is legitimate and the code looks official, the victim enters the code and signs in normally — including completing any MFA prompts.
- The token is delivered to the attacker. Microsoft’s authentication system, seeing a completed and verified login, issues an access token — to the attacker’s session, not the victim’s. The attacker now holds a valid token granting access to the victim’s Microsoft 365 environment.
- Persistence is established. Access and refresh tokens can remain valid for days or weeks. The attacker can read email, access OneDrive, move laterally into connected systems, and maintain persistent access — all without ever needing the victim’s password again.
What makes this attack particularly effective is the AI layer. Campaigns like EvilTokens use AI to generate personalized phishing lures at scale — matching tone, context, and even active email threads to make each message more convincing. Device code phishing attacks spiked 1,380% between the second half of 2025 and early 2026, driven in large part by Phishing-as-a-Service platforms that have made the technique accessible to attackers of any skill level.
Why Does Device Code Phishing Bypass MFA and Traditional Defenses?
This is where device code phishing separates itself from every other phishing technique — and why security teams that feel protected by MFA and phishing awareness training are often caught off guard.
- It bypasses MFA — not by breaking it, but by completing it.
- In a standard phishing attack, the attacker captures a password and then has to defeat MFA separately. Device code phishing skips that problem entirely. The victim completes MFA themselves, as part of the legitimate authentication flow. By the time MFA is satisfied, the attacker already has the token. There is no second factor left to bypass.
- It uses real pages, so there’s nothing fake to detect.
- Traditional phishing defenses — user training, link scanning, anti-phishing filters — are built to catch fake login pages, spoofed domains, and suspicious URLs. Device code phishing sends victims to the real Microsoft authentication page. There is no spoofed domain, no cloned login form, no visual indicator that anything is wrong. Security tools looking for the usual signals find nothing to flag.
- It targets sessions, not credentials.
- Most identity security controls are built around protecting usernames and passwords. Device code phishing doesn’t touch credentials at all — it steals the session token that gets issued after authentication succeeds. Conditional Access policies and MFA requirements apply to the authentication event. Once a valid token exists, those controls are largely irrelevant to what the attacker does next.
- The token persists long after the attack.
- Access tokens typically expire within an hour, but refresh tokens — which can silently generate new access tokens — can remain valid for days or weeks. An attacker with a refresh token can maintain continuous access to a Microsoft 365 environment long after the initial phishing event, often without triggering any additional authentication events that would surface in sign-in logs.
- AI makes every lure unique.
- Signature-based email filters and spam detection rely on identifying known patterns across large volumes of similar messages. AI-generated phishing lures undermine this approach by making every message different — varying wording, tone, context, and pretext across thousands of targets simultaneously. Filters that would catch a templated phishing campaign find nothing consistent to match against.
The combination of these factors is why device code phishing has become the preferred technique of both nation-state actors — including Storm-2372, a Russian state-sponsored group that used it to target government, defense, and critical infrastructure — and financially motivated criminal groups operating Phishing-as-a-Service platforms.
How Can Organizations Defend Against Device Code Phishing?
Defense against device code phishing requires controls at the policy layer, the identity layer, and the user awareness layer — because no single control closes all of the gaps this attack exploits.
- Policy controls:
- Create a Conditional Access policy in Microsoft Entra ID to block device code flow for all users. This is the single most effective mitigation available. Before enforcing it, audit existing device code flow usage to identify legitimate dependencies — CLI tools, automation workflows, and headless applications that may rely on this flow.
- Enforce phishing-resistant MFA methods — FIDO2 security keys or certificate-based authentication — rather than push notifications or one-time codes, which can be socially engineered.
- Configure shorter token lifetimes and session controls to reduce the window attackers have to operate with a stolen token.
- Identity and access controls:
- Monitor sign-in logs for device code authentication events, particularly those originating from unusual locations, ISPs, or IP ranges.
- Audit OAuth application grants regularly and remove any grants the organization doesn’t recognize or no longer needs.
- Ensure that access policies follow least privilege — an attacker with a stolen token can only reach what that identity was authorized to access. Scoping access tightly limits the blast radius of a successful token theft.
- If compromise is suspected: revoke all refresh tokens for the affected user immediately, force a password reset, audit inbox rules for new forwarding or deletion rules, and check for unauthorized MFA device registrations.
- User awareness:
- Train users specifically on device code phishing — not just generic phishing awareness. The key message is simple: never enter a device code unless you personally initiated the authentication moments before. Any unsolicited request to enter a code on a Microsoft login page should be treated as a phishing attempt.
- Establish an out-of-band verification process for any authentication request that feels unexpected. One call to IT is cheaper than a full incident response engagement.
Access policy enforcement is where device code phishing is ultimately contained. Stolen tokens are only as dangerous as the access the compromised identity holds. Organizations that apply continuous authentication, enforce least-privilege access, and maintain the ability to revoke credentials immediately are significantly better positioned to limit the damage when a token is stolen — regardless of how convincing the lure was.