Device code phishing

Summary

To get around phishing-resistant authentication methods, attackers are using device code phishing attacks that take advantage of alternative authentication flows for devices which do not support passkey-based logins, e.g. because they don’t have web browsers, or have limited input capabilities.

This typically involves phishing a one-time access code from the victim alongside, or instead of, a password-based login, substituting the typical MFA process, OR delivering an attacker-requested device code to the victim for them to authorize an integration with an attacker-controlled application.

Examples

• Example 1: Device code phishing with Microsoft — Example of spoofing the OneDrive iOS app.
• Example 2: Simulating device code phishing in a headless browser — Automating the process of redirecting the victim to the authentication page, directly entering the generate Device Code into the webpage behind the scenes.
• Example 3: Russian threat actors targeting Microsoft device code authentication
• Example 4: Microsoft Threat Intelligence centre tracks Storm-2372 using techniques that abuse device authentication flow
• Example 5: GitHub device code phishing
• Example 6: Device code phishing in Google Cloud and Azure
• Example 7: Detecting device code phishing
• Example 8: OAuth device code phishing with verified apps