In April and May 2026, Microsoft and the Australian Signals Directorate (ASD) have both highlighted a sharp rise in device code phishing: attackers are abusing Microsoft’s legitimate device authorization flow to bypass MFA and gain long‑lived access to Microsoft 365 accounts. This isn’t your grandfather’s password‑stealing email; it’s a subtle, token‑based attack that looks completely “normal” to the user.
What is device‑code phishing?
OAuth’s device code / device authorization grant lets a user sign in on one device (like a TV or printer) by entering a short code on a second device at a real Microsoft URL (for example, https://microsoft.com/devicelogin).
Attackers hijack this flow by:
Triggering a device‑code sign‑in on their end.
Sending the code and link to the victim via phishing emails, collaboration lures, or even vishing calls.
Getting the victim to sign in with their normal password and MFA, which silently approves the attacker’s OAuth session.
Once approved, the attacker receives refresh tokens that can give them persistent access to email, Teams, SharePoint, and more—all without ever stealing a password.
Why this is so dangerous for Microsoft 365 tenants
What makes device‑code phishing especially nasty is that:
The login page is genuine Microsoft infrastructure, so it passes basic URL checks and looks like a normal sign‑in.
MFA is satisfied, so Conditional Access policies that only care about “MFA present” may still allow the token issuance.
Attackers can recycle or regenerate codes on demand, and modern campaigns are increasingly AI‑assisted, improving phishing lures and timing.
For an MSP or IT admin managing multiple Microsoft 365 tenants, this means:
Account takeover can happen even in heavily MFA‑protected environments.
Post‑breach visibility depends heavily on how well you’re monitoring consent grants and device‑code sign‑ins in Entra ID logs.
What admins should do today
You don’t need to wait for a breach. Here are concrete steps you can implement in your tenant(s):
1. Restrict or disable device‑code flows where possible
If your users don’t actually use legacy devices or scripts that rely on the device code flow, disable or block it via Conditional Access:
Use a policy that blocks sign‑ins where the client app type is “Device code flow”.
If you still need it for a small subset (service accounts, automation), restrict it to:
Trusted device compliance conditions.
Location‑based policies (e.g., corporate IP ranges).
Named user groups only.
2. Enforce phishing‑resistant MFA and least‑privilege
Move toward FIDO2 security keys or passkeys where feasible, which are harder to phish even within legitimate sign‑in flows.
Enforce least‑privilege access in Azure AD and Microsoft 365 so that even if a token is issued, its scope is limited.
3. Monitor sign‑in and consent activity
In Microsoft Entra sign‑in logs, look for:
Frequent or unexpected device‑code or token‑based sign‑ins from unusual clients or IPs.
Consent grants for new or suspicious apps that appear after a user clicks a phishing link.
Export these logs into your SIEM or XDR and create alerts for:
Device‑code sign‑ins from new or unknown apps.
Multiple failed device‑code attempts followed by a successful sign‑in.
4. Train users to treat “sign‑in to view” prompts as suspicious
Even if the page is real, the context is wrong. Teach staff:
Never to approve a sign‑in or consent prompt they didn’t initiate.
To treat unexpected messages like “Click to see this document” or “Sign in to view security alert” as red flags, regardless of the URL.
To report suspicious emails or pop‑ups to IT immediately.
Wrapping up
Device‑code phishing is a clear signal that phishing attacks are evolving beyond simple credential theft. Because they piggyback on legitimate Microsoft flows, they are harder to spot and block with traditional filters alone.
If you’re responsible for Microsoft 365 or Azure AD security, now is the time to:
Audit whether you actually need device‑code flows in each tenant.
Harden Conditional Access and MFA policies.
Monitor consent and sign‑in logs more closely.
For more detail on the specific campaigns and technical patterns, see the original ASD analysis:
Device code phishing: A growing threat to Microsoft 365 users – LinkedIn



