Device Code Phishing: A Dangerous New Scam You Need to Know About

by | Jul 9, 2025 | IT News & Insights New Zealand | Cybersecurity, AI & Microsoft Updates, Security

Device code phishing is a sneaky new way hackers are stealing people’s online accounts.

In device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to.

Unlike regular phishing emails that take you to fake websites, this scam tricks you into using real login pages with codes that actually belong to the hackers.

Here’s the scary part: The device code techniques are particularly dangerous because the phishing emails don’t carry malicious links or attachments and aren’t easily identified by cybersecurity products. Even people who are usually careful about clicking suspicious links can fall for this because everything looks completely legitimate.

The attacks have been ongoing since August 2024 and have targeted governments, NGOs, and a wide range of industries in multiple regions. Most recently, Microsoft discovered cyberattacks being launched by a group we call Storm-2372, who we assess with moderate confidence aligns with Russia’s interests and tradecraft.

What Exactly Are Device Codes?

To understand this scam, you first need to know what device codes are. A device code is a numeric or alphanumeric code used to authenticate an account from an input-constrained device that does not have the ability to perform an interactive authentication using a web flow.

Think about when you want to watch Netflix on your smart TV. The TV doesn’t have a full keyboard, so typing in your email and password would be really annoying. Instead, Netflix shows you a short code on your TV screen and tells you to go to a website on your phone or computer to enter that code. Once you enter the code and log in on your phone, your TV gets connected to your Netflix account. It’s actually pretty convenient!

To better understand what a “device code” is, take into consideration when purchasing a new smart television. That television may come with apps installed such as Netflix or AppleTV.  Well, in order to use those applications, you need to sign in to your account.  Now, it’s clearly not practical to be mashing TV remote buttons all day trying to type out our 24-character password, so we use codes as a better way.

How the Scam Works

Here’s where the hackers get clever. To prepare for this attack, the threat actor starts to log into a legitimate service you already belong to (e.g., Microsoft, Netflix, third-party app, etc.) using your account’s user ID and gets a legitimate device code (meant for you) sent to them instead.

The attack usually happens in these steps:

  1. The Setup: Hackers generate a real device code using your account information
  2. The Contact: The attackers contact the end-user via third-party messaging platforms such as WhatsApp/ Signal or even Microsoft Teams. Mostly they share context related to fake meeting invitations/ calendar invitations with a code (device code)
  3. The Trick: They send you a message that looks like it’s from Microsoft Teams, your IT department, or another trusted source, asking you to enter a code on a legitimate Microsoft login page
  4. The Trap: When you enter the code and log in, this tricks the login service into believing that the other device under the control of the hacker is yours

The generated Device Codes are only valid for 15 minutes once they are created. As a result, they have to have real-time communication with the victim.  They need the victim to expect the “invitation”. 

Real Examples of These Attacks

Example 1: Fake Microsoft Teams Meeting

A phishing attack that masquerades as Microsoft Teams meeting invitation, delivered through email. When the victims click the meeting invitation, they are prompted to authenticate using a threat actor-generated device code. You might get an email that looks like your boss is inviting you to an urgent meeting, but when you click to join, you’re asked to enter a code to “verify your identity.”

Example 2: Fake Military Official Contact

Volexity are cyber-specialists.  In their investigation of an incident, they reviewed emails to the user leading up the time of the authentication event. This review identified a suspicious email just moments before the login activity from an email address purporting to be from someone with the name of a high-ranking official from the Ukrainian Ministry of Defence. In this case, hackers pretended to be important government officials to trick their targets.

Example 3: Signal Messenger Scam

Through its investigations, Volexity discovered that Russian threat actors were impersonating a variety of individuals in order to socially engineer targets. In one case, This individual then requested the victim move off Signal to another secure chat application called Element. The attacker then had the victim join an Element server they controlled under the domain sen-comms[.]com.

Why This Scam Is So Dangerous

There are several reasons why device code phishing is particularly scary:

It Uses Real Websites: A user who is up on their Security Awareness Training might know to be rightfully suspicious of links, but may let their guard down when they see https://microsoft.com/devicelogin as the URL. You’re not being sent to a fake website – you’re using the real Microsoft login page!

It Bypasses Security Training: Most security training teaches people to look for suspicious links or fake websites. But in this scam, everything looks completely legitimate because it IS legitimate – except for the code you’re entering.

Long-Term Access: The additional benefit of refresh tokens is that they allow attackers persistent access to victim accounts even after the initial authentication. Once hackers get in, they can stay in your account for a long time.

Hard to Detect: There’s no true exploitation occurring during this attack outside of tricking someone into using the device code flow when they shouldn’t. Since everything is using legitimate systems, security software has a hard time catching it.

How to Protect Yourself

For Regular Users

Be Suspicious of Unexpected Codes: It is uncommon for users to approve a device code sent to them without having attempted to log in to a service on a new device first, where a device code would typically be requested. If someone sends you a code to enter but you didn’t try to sign in to anything, that’s a red flag.

Verify Before You Act: If you get a message asking you to enter a device code, especially if it claims to be urgent, pause and verify. Call your IT department or the person who supposedly sent the message using a different method to confirm it’s real.

Know the Warning Signs:

  • Messages that create urgency (“You must enter this code immediately!”)
  • Requests to enter codes when you haven’t tried to log in to anything
  • Meeting invitations from people you don’t recognize
  • Messages asking you to use device codes for “security verification”

Don’t Enter Codes Unless You Initiated the Process: Employees should be educated on the following: Recognizing phishing attempts that ask for authentication outside of expected workflows. Only enter device codes when YOU are the one trying to log in to a new device.

For Organisations and IT Departments

Use Conditional Access Policies: The most effective defence against device code phishing attacks is creating conditional access policies that completely prohibit device code authentication for an organisation’s Microsoft 365 tenant. If your organization doesn’t need device codes, just turn them off completely.

Monitor Sign-in Logs: Use the below KQL query to search across the environment for the usage of the device code flow. SigninLogs | where TimeGenerated > ago(90d) | where AuthenticationProtocol == “deviceCode” IT teams should regularly check who is using device codes and investigate anything suspicious.

Set Up Geographic Restrictions: Conditional access policies should be configured to enforce the following: Device compliance requirements (e.g., requiring Intune-enrolled devices) Geolocation restrictions to block access from unexpected regions. This is now standard in Kinetics KARE Foundation unless a client asks us to turn it off.

Require Device Compliance: This security barrier is impossible, at least based on current knowledge, to bypass or fake and will prevent any users from using Device Code Flow and getting phished in the first place.

Train Your Employees: Organizations should also incorporate device code phishing scenarios into red team exercises and simulated phishing campaigns to measure employee susceptibility and improve overall resilience.

The Bottom Line

Device code phishing represents a new evolution in cybercrime that’s much harder to spot than traditional phishing. Volexity’s visibility into targeted attacks indicates this particular method has been far more effective than the combined effort of years of other social-engineering and spear-phishing attacks conducted by the same (or similar) threat actors.

The key to staying safe is understanding that just because a website looks legitimate doesn’t mean the request is legitimate. When in doubt, verify through a different channel before entering any codes. And remember: if you didn’t try to log in to something, you shouldn’t be entering device codes.

Stay vigilant, and when something feels off, trust your instincts and ask for help!

References

  1. Microsoft Security Blog. “Storm-2372 conducts device code phishing campaign.” February 14, 2025. https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/
  2. Huntress. “Device Code Phishing in Google Cloud and Azure.” https://www.huntress.com/blog/oh-auth-2-0-device-code-phishing-in-google-cloud-and-azure
  3. Cybersecurity Dive. “Phishing campaign targets Microsoft device-code authentication flows.” February 18, 2025. https://www.cybersecuritydive.com/news/phishing-campaign-targets-microsoft-device-code-authentication-flows/740201/
  4. Volexity. “Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication.” February 13, 2025. https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/
  5. Push Security. “SaaS Attacks – Device Code Phishing.” https://github.com/pushsecurity/saas-attacks/blob/main/techniques/device_code_phishing/description.md
  6. Black Hills Information Security. “Dynamic Device Code Phishing.” May 23, 2023. https://www.blackhillsinfosec.com/dynamic-device-code-phishing/
  7. SOCRadar. “Storm-2372: Russian APT Using Device Code Phishing in Advanced Attacks.” April 7, 2025. https://socradar.io/storm-2372-russian-apt-using-device-code-phishing-in-advanced-attacks/
  8. eSentire. “Device Code Authentication Phishing.” February 18, 2025. https://www.esentire.com/security-advisories/device-code-authentication-phishing
  9. KnowBe4. “What Is Device Code Phishing?” April 29, 2025. https://blog.knowbe4.com/what-is-device-code-phishing
  10. Check Point. “Protecting Your Organization from Device Code Phishing Attacks.” https://emailsecurity.checkpoint.com/blog/protecting-your-organization-from-device-code-phishing-attacks
  11. Jeffrey Appel. “How to protect against Device Code Flow abuse (Storm-2372 attacks) and block the authentication flow.” February 16, 2025. https://jeffreyappel.nl/how-to-protect-against-device-code-flow-abuse-storm-2372-attacks-and-block-the-authentication-flow/
  12. Bugcrowd. “The rise of device code phishing.” March 11, 2025. https://www.bugcrowd.com/blog/the-rise-of-device-code-phishing/
  13. Dark Reading. “Beware of Device Code Phishing.” June 4, 2025. https://www.darkreading.com/vulnerabilities-threats/beware-device-code-phishing
  14. Cloudbrothers. “Protect your users from Device Code Flow abuse.” February 27, 2024. https://cloudbrothers.info/en/protect-users-device-code-flow-abuse/