In a previous This week in Cyber Security advisory, we highlighted how threat actors are successfully exploiting organization’s Microsoft 365 infrastructure using device code phishing attacks. In this advisory, we’ll take a deeper look at how device code authentication works and why it’s targeted, as well as mitigations for device code phishing and other attack vectors that target Microsoft Entra ID tokens.
How Device Code Authentication Works
Instead of signing in directly, users navigate to https://microsoft.com/devicelogin which will redirect them to the login portal seen in the screenshot below, prompting the user to enter a code that will allow a device or app to access their Microsoft Entra ID account.
Just as streaming services like Netflix use device code authentication to simplify logins on remote controls, Entra ID leverages device codes for similar scenarios. This method is particularly useful for Internet of Things (IoT) devices—such as smart appliances and industrial sensors—and command-line interface (CLI) tools, which developers use to interact with software via text commands. These environments often lack traditional authentication options, making device codes an effective solution.
On the back-end, device code authentication uses OAuth 2.0 to authenticate the device or app to the user’s account. Once a user completes the authentication process (including MFA if prompted), an access token and a refresh token are issued to that device or app session. There are other types of tokens within Entra ID but we’ll be focusing on access and refresh tokens here.
- Access Tokens: This token is used to authenticate or access an Entra ID resource. The default lifetime is a random value between 60 and 90 minutes.
- Refresh Tokens: Used to refresh or generate new access tokens. This can be continually used with a 90-day timeframe to generate new access tokens.
This is especially useful for attackers for several reasons:
- By abusing legitimate functionality of a trusted resource, an attacker increases the likelihood of a successful attack.
- Tokens offer the same level of access and/or privileges as the user’s credentials (e.g., access to Outlook, SharePoint, Teams, etc.).
- Attackers can maintain access to the account even if a user’s password is updated. Tokens need to be manually revoked using PowerShell.
- MFA is not required to access resources after the device is authenticated to the user’s account.
- After gaining this initial access via device code phishing, attackers can potentially move laterally, escalate privileges, steal sensitive data, and maintain persistence within the environment through unauthorized access to Microsoft 365 services (Outlook, Teams, SharePoint, etc.) or other Entra ID–protected resources.
Broader Initial Access Threats
In addition to device code phishing, there are other attack vectors that attackers use to try and gain access to Entra ID tokens. Awareness of these types of attacks can help organizations prioritize their defense and mitigation strategies.
- Illicit OAuth Consent (“Consent Phishing”): Attacker persuades the user to grant dangerous permissions to a malicious Entra ID app.
- Adversary-in-the-Middle (AiTM) Phishing: Also known as reverse-proxy phishing, tools like Evilginx2 steal valid session cookies or tokens by proxying the legitimate login page.
- Credential Attacks: Attempts to guess passwords such as Brute Force, Credential Stuffing and Password Spraying can allow attackers to obtain tokens if valid credentials are obtained or allow attackers to perform MFA Fatigue attacks.
- MFA Fatigue (Push Bombing) :Attackers spam MFA requests until a user mistakenly approves, allowing access to the account.
- Post Compromise Attacks: If an attacker gains valid credentials or unauthorized access to an application or web browser session, they may be able to perform “Pass-the-Cookie” or “Pass-the-Token” attacks.
Mitigation Guidance
nGuard recommends implementing layered countermeasures to prevent or contain threats to Entra ID. The table below contains Entra ID defense recommendations focusing on removing or restricting initial access (IA) attack vectors first, then focuses on eliminating privilege escalation (PE) vectors.
The table also notes which attack vectors are mitigated by each control. If your organization does not rely on device authentication, disabling it outright can eliminate that attack vector.
Once technical controls are in place, security assessments should be performed regularly to validate that implemented protections are working effectively and ensure misconfigurations or new vulnerabilities haven’t been introduced between assessments.
| Recommended Defense | How It Helps | Attack Vectors Mitigated |
| Disable or Restrict Device Authentication Flow (if not needed, or limit access via Conditional Access Policies) | • Removes or locks down device code phishing attack vectors | • Device Code Phishing |
| Phishing-Resistant MFA (e.g., FIDO2 tokens, certificate based, number matching) | • Neutralizes credential attacks such as brute force • Stops easy approvals for MFA fatigue • Increases difficulty of device code phishing attacks | • AiTM Phishing • Credential Attacks • Device Code Phishing • MFA Fatigue |
| Restrict OAuth App Consents (admin workflows, governance) | • Blocks malicious apps from tricking users into illicit consent • Prevents unauthorized device code usage if combined with restricted app permission | • Device Code Phishing • Illicit OAuth Consent |
| Disable Legacy/Basic Authentication (if not needed) | • Enforces modern authentication / MFA usage • Prevents credential attacks via old protocols that skip MFA | • Credential Attacks |
| Strong Password Management (banned password lists, lockout policies) | • Reduces effectiveness of credential attacks • Improves overall credential hygiene | • Credential Attacks |
| Monitor & Alert on Anomalous SignIns (Entra ID Protection, SIEM) | • Identifies device code anomalies or suspicious reverse proxy sign-ins • Flags repeated MFA prompts • Spots unusual IP and geolocation usage to detect token theft | • Device Code Phishing • AiTM Phishing • MFA Fatigue • Post Compromise Attacks |
| Shorter Token Lifetimes & Continuous Access Evaluation (CAE) | • Limits timeframe tokens validity • Forces frequent reauthentication • Real time risk-based token revocation • Limits the utility of stolen or replayed tokens • Reduces long-lived sessions that man-in-the-middle phishing attackers can exploit | • AiTM Phishing • Post Compromise Attacks |
| Harden Endpoints & Browsers (EDR, patching, limiting extensions) | • Detects malware that steals tokens or session cookies • Encourages least privilege to contain endpoint compromise | • Post Compromise Attacks |
Summary
In addition to implementing technical controls, organizations can enhance security by educating users on recognizing suspicious device code prompts and illicit consent phishing attempts. Regular security awareness training and social engineering exercises help reinforce this knowledge, ensuring users remain vigilant and identifying those who may need additional guidance. By adopting a layered security approach, organizations can increase the difficulty of attacks and provide additional protection in case of unauthorized access. Focusing on high-impact defenses and environment-specific mitigations enables efficient protection against device code phishing and other threats targeting Entra ID.
