Recent findings from Barracuda examine the use of device code authentication in cyber attacks, where the technique is used to gain persistent access to services such as Microsoft 365 and Entra ID. Barracuda reports 7 million device code phishing attempts over a four-week period, with the activity associated with phishing-as-a-service tools such as the EvilTokens kit.
Device code authentication allows users to sign in on one device by entering a short code on another device, often used for devices with limited interfaces such as TVs, printers, or command line interface (CLI) tools. Device code phishing involves attackers encouraging users to enter a valid sign-in code on a legitimate login page, which results in authorising the attacker’s device.
In this method, attackers request a legitimate device code from Microsoft and use it in phishing messages to prompt users to authenticate via a real login page. Once authentication is completed, OAuth access and refresh tokens are issued, which can be used by the attacker.
Comparison with traditional phishing approaches includes:
- Legitimate links: The method uses official authentication URLs rather than fake websites.
- Multi-factor authentication: Because the victim completes the authorisation, standard MFA and conditional access controls may not prevent token issuance.
- Persistent access: Refresh tokens can allow continued access even if the user changes their password.
- Use of familiar workflows: The process relies on users entering short verification codes, which are commonly used in device linking.
- Session access: The attacker gains access through the authenticated session.
Device code phishing can enable access to cloud-based email and identity systems without password theft or triggering some traditional alerting mechanisms.
Barracuda notes that this technique is being used in phishing-as-a-service models, which can increase the scale of such activity. The report also highlights mitigation measures including email filtering, identity protection controls, monitoring, restricting device authorisation flows, and user awareness around entering verification codes only in trusted contexts.
