Device Code Phishing: Why It’s a Big Deal for Microsoft 365 and How to Lock It Down

Learn how device code phishing abuses Microsoft’s OAuth flow to bypass MFA in Microsoft 365, and get practical steps to block it across your tenants.

Garry BloomGarry Bloom · Founder & Senior IT Manager
20 May 2026
5 min read
device code phishing
Microsoft 365
Azure AD
Entra ID
OAuth phishing
MFA bypass
Microsoft 365 security
conditional access
device authorization flow
phishing‑resistant MFA
account takeover

In April and May 2026, Microsoft and the Australian Signals Directorate (ASD) have both highlighted a sharp rise in device code phishing: attackers are abusing Microsoft’s legitimate device authorization flow to bypass MFA and gain long‑lived access to Microsoft 365 accounts. This isn’t your grandfather’s password‑stealing email; it’s a subtle, token‑based attack that looks completely “normal” to the user.

What is device‑code phishing?

OAuth’s device code / device authorization grant lets a user sign in on one device (like a TV or printer) by entering a short code on a second device at a real Microsoft URL (for example, https://microsoft.com/devicelogin).

Attackers hijack this flow by:

  • Triggering a device‑code sign‑in on their end.

  • Sending the code and link to the victim via phishing emails, collaboration lures, or even vishing calls.

  • Getting the victim to sign in with their normal password and MFA, which silently approves the attacker’s OAuth session.

Once approved, the attacker receives refresh tokens that can give them persistent access to email, Teams, SharePoint, and more—all without ever stealing a password.

Why this is so dangerous for Microsoft 365 tenants

What makes device‑code phishing especially nasty is that:

  • The login page is genuine Microsoft infrastructure, so it passes basic URL checks and looks like a normal sign‑in.

  • MFA is satisfied, so Conditional Access policies that only care about “MFA present” may still allow the token issuance.

  • Attackers can recycle or regenerate codes on demand, and modern campaigns are increasingly AI‑assisted, improving phishing lures and timing.

For an MSP or IT admin managing multiple Microsoft 365 tenants, this means:

  • Account takeover can happen even in heavily MFA‑protected environments.

  • Post‑breach visibility depends heavily on how well you’re monitoring consent grants and device‑code sign‑ins in Entra ID logs.

What admins should do today

You don’t need to wait for a breach. Here are concrete steps you can implement in your tenant(s):

1. Restrict or disable device‑code flows where possible

If your users don’t actually use legacy devices or scripts that rely on the device code flow, disable or block it via Conditional Access:

  • Use a policy that blocks sign‑ins where the client app type is “Device code flow”.

  • If you still need it for a small subset (service accounts, automation), restrict it to:

    • Trusted device compliance conditions.

    • Location‑based policies (e.g., corporate IP ranges).

    • Named user groups only.

2. Enforce phishing‑resistant MFA and least‑privilege

  • Move toward FIDO2 security keys or passkeys where feasible, which are harder to phish even within legitimate sign‑in flows.

  • Enforce least‑privilege access in Azure AD and Microsoft 365 so that even if a token is issued, its scope is limited.

3. Monitor sign‑in and consent activity

In Microsoft Entra sign‑in logs, look for:

  • Frequent or unexpected device‑code or token‑based sign‑ins from unusual clients or IPs.

  • Consent grants for new or suspicious apps that appear after a user clicks a phishing link.

Export these logs into your SIEM or XDR and create alerts for:

  • Device‑code sign‑ins from new or unknown apps.

  • Multiple failed device‑code attempts followed by a successful sign‑in.

4. Train users to treat “sign‑in to view” prompts as suspicious

Even if the page is real, the context is wrong. Teach staff:

  • Never to approve a sign‑in or consent prompt they didn’t initiate.

  • To treat unexpected messages like “Click to see this document” or “Sign in to view security alert” as red flags, regardless of the URL.

  • To report suspicious emails or pop‑ups to IT immediately.

Wrapping up

Device‑code phishing is a clear signal that phishing attacks are evolving beyond simple credential theft. Because they piggyback on legitimate Microsoft flows, they are harder to spot and block with traditional filters alone.

If you’re responsible for Microsoft 365 or Azure AD security, now is the time to:

  • Audit whether you actually need device‑code flows in each tenant.

  • Harden Conditional Access and MFA policies.

  • Monitor consent and sign‑in logs more closely.

For more detail on the specific campaigns and technical patterns, see the original ASD analysis:
Device code phishing: A growing threat to Microsoft 365 users – LinkedIn

Garry Bloom
Written by
Garry Bloom
Founder & Senior IT Manager · 25+ years in IT

Garry founded Computer Mechanics — the business behind IT Support Perth — in 1997. With more than 25 years in IT management and support across internal and external service environments, he leads the team's technical direction and its cybersecurity and managed-IT strategy for Perth businesses.

Meet the IT Support Perth team →
Garry Bloom
20 May 2026
5 min read
device code phishing
Microsoft 365
Azure AD
Entra ID
OAuth phishing
MFA bypass
Microsoft 365 security
conditional access
device authorization flow
phishing‑resistant MFA
account takeover

Stay Updated with IT Insights

Get the latest cybersecurity tips and technology insights delivered to your inbox

Related Articles

4 IT Gaps Small Businesses Overlook (and How to Close Them)

Most Perth businesses aren't undone by one huge disaster — it's the small IT gaps that stack up: missing MFA, delayed patching, old access nobody removed, and untested backups. Here's how teams under 50 users can close them. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

How to Safely Offboard an Employee (and Protect Your Company Data)

When a staff member leaves, their access is a security risk until it's properly closed off. A practical Perth-business checklist for offboarding an employee without losing data or leaving a door open. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

5 Signs Your Business Has Outgrown Your Current IT Guy

One trusted 'IT guy' works — until it doesn't. Here are five clear signs a Perth business has outgrown break-fix IT and needs a proper managed IT team. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

Need Expert IT Support?

Get personalized advice from our Perth IT experts. Free consultation available.

Related Content

Continue Reading

Explore more insights and expert advice on IT support, cybersecurity, and digital transformation

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.
CyberSecurity
ITSupportPerth

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.

Most small business owners believe end-to-end encryption means their messages are completely private. A recent FBI case proves that assumption is dangerously incomplete.

5 min read
4/15/2026
What’s new in SMB1001:2026?
SMB1001
SMB10012026

What’s new in SMB1001:2026?

SMB1001:2026 updates for Perth SMBs: Mandatory DMARC from Silver tier, 5 maturity levels, Essential Eight alignment. Get certified, cut insurance costs, win tenders—start your roadmap today!

5 min read
2/25/2026
4 IT Gaps Small Businesses Overlook (and How to Close Them)
Cybersecurity
Small Business

4 IT Gaps Small Businesses Overlook (and How to Close Them)

Most Perth businesses aren't undone by one huge disaster — it's the small IT gaps that stack up: missing MFA, delayed patching, old access nobody removed, and untested backups. Here's how teams under 50 users can close them. From Computer Mechanics, Perth IT specialists since 1997.

5 min read
7/16/2026